buttercup-core
buttercup-core copied to clipboard
Provide error codes
It'd be good to throw some error codes, as well as the message. Identifying the wrong decryption key right now is quite difficult because you need to compare the whole string.
Agreed, though I would prefer to stay very vague when decryption errors occur. For example if something went wrong in the decryption, I would throw the same error if the password was wrong as well as if the HMAC failed.
Having too-specific error messages would provide a vector for easier brute-force attacks. Error messages around these security-conscious areas should be deliberately ambiguous and non-specific.
More on this: When and how would we use these error codes? Are the messages not enough? I'm not sure that we would typically be able to discern any new information from a numeric identifier.
That's fine, I agree with not giving the actual reason for the decryption failure.
I just think that throwing an object like this would be better:
{
code: "DCPT",
message: "Failed to decrypt archive\nError: Encrypted content has been tampered with"
}
That means that users wanting to display this message in their own way can just check if code === DCPT
rather than having to compare the whole message at the moment.
Agreed - this is a sensible approach :)
Might be best throwing a custom error here, so that (err instanceof Error) is still correct. I don't much like throwing strings, objects etc. over using actual Errors. The code property can be part of the extended class.