checkMetricsAuth in app/middleware/metrics.js has three branches that reject:
- Missing
Authorization header
- Header without
Bearer prefix
- Bearer-prefixed but token mismatch:
a. Equal-length supplied vs required → timingSafeEqual
b. Different-length → sha256-of-both fallback returning ... && false
The existing tests cover (1), (3b), and the happy path. Missing: (2) and (3a). A future "lenient parser" refactor or an "optimization" that returned true on a length-equal comparison would slip through.
Fix: add explicit tests for both branches.
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/
checkMetricsAuthinapp/middleware/metrics.jshas three branches that reject:AuthorizationheaderBearerprefixa. Equal-length supplied vs required →
timingSafeEqualb. Different-length → sha256-of-both fallback returning
... && falseThe existing tests cover (1), (3b), and the happy path. Missing: (2) and (3a). A future "lenient parser" refactor or an "optimization" that returned true on a length-equal comparison would slip through.
Fix: add explicit tests for both branches.
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/