Skip to content

Implements Nonce generation and saving to cache#22

Closed
erkkiarus wants to merge 1 commit into
web-eid:mainfrom
erkkiarus:WE2-412
Closed

Implements Nonce generation and saving to cache#22
erkkiarus wants to merge 1 commit into
web-eid:mainfrom
erkkiarus:WE2-412

Conversation

@erkkiarus
Copy link
Copy Markdown
Contributor

@erkkiarus erkkiarus commented Jun 30, 2023
edited
Loading

  • Marked GetAndRemoveImpl method as obsolete in IChallengeNonceStore interface;
  • Moved InMemoryChallengeNonceStore class from Tests WebEid.Security project;
  • Added ChallengeNonceGeneratorBuilder class;
  • Added missing members' documentation comments.

Signed-off-by: Erkki Arus erkki@raulwalter.com

@erkkiarus erkkiarus marked this pull request as ready for review July 5, 2023 08:21
@erkkiarus erkkiarus force-pushed the WE2-412 branch 2 times, most recently from 8c6db08 to 34e7d46 Compare July 14, 2023 13:13
@arbuus @erkkiarus
Implements Nonce generation and saving to cache
4e44076 
* Marked GetAndRemoveImpl method as obsolete in IChallengeNonceStore interface;
* Moved InMemoryChallengeNonceStore class from Tests WebEid.Security project;
* Added ChallengeNonceGeneratorBuilder class;
* Added missing members' documentation comments.

Signed-off-by: Erkki Arus <erkki@raulwalter.com>
@mrts
Copy link
Copy Markdown
Member

mrts commented Aug 4, 2023
edited
Loading

We cannot merge this for the following reasons:

  • IChallengeNonceStore.GetAndRemoveImpl() is intentional and must remain. IChallengeNonceStore.GetAndRemove() is a template method that defines the common steps that all implementations must perform and it relies on the GetAndRemoveImpl() helper method, that the implementations have to implement, to do the implementation-specific actual work. See this Wikipedia article about the Template Method pattern and this implementation from the Web eID ASP.NET example for an correct session-backed implementation of IChallengeNonceStore. This is also explained in the README.
  • InMemoryChallengeNonceStore can only be used in tests. The website backend must lookup the challenge nonce from its local store using an identifier specific to the browser session, to guarantee that the authentication token was received from the same browser to which the corresponding challenge nonce was issued. InMemoryChallengeNonceStore does not guarantee this. Moreover, as it uses a single shared field for accessing and storing the nonce in a non-thread-safe way, it is in general unsuitable for using in multi-threaded multi-user web applications.

But thanks for fixing the tests and adding the ChallengeNonceGeneratorBuilder!

@mrts mrts closed this Aug 4, 2023
@mrts mrts mentioned this pull request Dec 4, 2023
Closed
@erkkiarus
Copy link
Copy Markdown
Contributor Author

erkkiarus commented Dec 12, 2023

IChallengeNonceStore is declared as an interface, not as an abstract class. Interface is not place where define any method.

svenzik pushed a commit that referenced this pull request Jul 30, 2025
@rabadashTheFool
Updated documentation in For Ubuntu Linux and Docker sections (#22)
216ad76 
Updated documentation in For Ubuntu Linux and Docker sections

WE2-572

Signed-off-by: Mihkel Kivisild <mihkel.kivisild@hotmail.com>
This was referenced Jul 30, 2025
Merged
Open
Merged
mrts pushed a commit that referenced this pull request Nov 18, 2025
@rabadashTheFool @mrts
Updated documentation in For Ubuntu Linux and Docker sections (#22)
b5ebdc3 
Updated documentation in For Ubuntu Linux and Docker sections

WE2-572

Signed-off-by: Mihkel Kivisild <mihkel.kivisild@hotmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@metsma metsma metsma approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@erkkiarus @mrts @metsma @arbuus