zxcvbn-api icon indicating copy to clipboard operation
zxcvbn-api copied to clipboard

Published 20 hours ago verified publisher icon longrunningprocess

Enhancements

Open tracker1 opened this issue 8 years ago • 3 comments

If the intent is to really turn this into a backing service, should probably add the following.

  • Add CORS support (cross origin)
  • Size limit for body parser (5kb should be way more than enough), will prevent some flooding/injection attacks
  • Add error handler to return JSON, good for all API interfaces to return errors in the common format used by the API itself. Errors should return an object, with a single error property, with at least a code (corresponding to http status code, and message, containing error text, and optionally other error properties).
{ // single object response, with single property of "error"
  error: {
    code: 400 //invalid input, or 5xx for other errors
    ,message: error.message // original or custom error message
    ,...error // other properties from error, message is part of inheritance and doesn't serialize
  }
}

Possible value-adds:

  • Wrap zxcvbn request processing into a pool limited to PROCESSOR_COUNT instances, so that you can avert some flooding scenarios.
  • Add xdomain proxy.html so that xdomain can be used with old IE in order to use the service.

tracker1 avatar Sep 26 '16 20:09 tracker1

I originally did this to fit our own needs and thought others may have a similar use case. I considered making it a publicly available service running but didn't want to incur the costs involved with running a server and getting a domain.

Regarding the CORS ideas, I'm open to putting that support in here but we mitigated it by simply not exposing it directly. API calls come into PHP backend for the data and it uses CURL to make calls directly to this API for the score. We were able to run this API up in a Docker container that's only available to our backend API.

I think the CORS support only makes sense if this API were available directly. Do you know of a way we could spin this up for free somewhere? If so, it would definitely need to community support.

The error object makes sense and seems like a good idea. I'll work that in next time I'm able to work on this.

Thanks for taking a look and suggesting those improvements.

longrunningprocess avatar Sep 27 '16 13:09 longrunningprocess

I'm not sure if heroku offers a free dyno still, that might be an option. I'd do a PR if I had the time right now, just wanted to at least look at the implementation.

tracker1 avatar Sep 28 '16 01:09 tracker1

I really appreciate that, I'm definitely open to making it more valuable for others if a need develops.

longrunningprocess avatar Sep 28 '16 17:09 longrunningprocess