16
votes
Accepted
How would you test a lexer?
Your grammar probably has some rules for each token on how it can be produced (for example, that a { signifies a BLOCK_START token, or that a string-literal token is delimited by " characters). ...
16
votes
How would you test a lexer?
If you're writing the lexer yourself, this seems like an ideal case for test-driven development.
While “the number of combinations of tokens in a source file can be huge,” the number of branches in ...
- 139k
7
votes
How would you test a lexer?
One alternative that others aren't mentioning, is to use a test generative approach—like QuickCheck from Haskell—to generate the edge cases from the grammar you've defined.
Now, once they're generated,...
- 761
6
votes
Is there a common agreed upon token symbol used in computer science or common across languages?
No.
This is called string interpolation or substitution. Your language may define a syntax, your framework or tooling might define a syntax, and you can always define your own syntax and rules.
This ...
- 11.2k
5
votes
Accepted
Race condition when issuing a refresh token: worth addressing or not?
Technically that's not a race condition. But rather a consensus problem.
Is there a standard/most used way to address this situation? Or is it deemed unnecessary?
Yes. Accept those rare cases and ...
- 3,085
4
votes
What are the advantages of refresh token?
The key to systems with separate Access and Refresh tokens is that they involve three parties:
The client that wants to access some service
The service they want to access
A separate service which is ...
- 5,957
3
votes
What are the advantages of refresh token?
One key advantage of refresh tokens that's being missed is that they are revokable, while the access token is not.
To authenticate the access token, only its signature is checked. This makes it ...
- 391
3
votes
Local storage or HTTP Only Cookie for RefreshToken?
It strongly depends on the context, and it belongs to you to evaluate the different risks and the probability of those risks in your particular case.
Historically and in general, XSS and JavaScript ...
- 139k
3
votes
How exactly is the cancellation token mechanism implemented over HTTP?
HTTP is implemented on top of TCP. This means that at any point, the client can simply send a FIN packet to the server to close the connection. The server should react to this by indicating request ...
- 15.6k
3
votes
What are the advantages of refresh token?
You don't have to use refresh tokens. The client could ask for username/password every time (which is annoying to the end user), or store the credentials, with the risk of leaking them. Passwords are ...
- 3,167
3
votes
How exactly is the cancellation token mechanism implemented over HTTP?
Both sides have persistent storage, so we don't need the transport mechanism to have persistent storage. At a very naive level:
Frontend to backend: "Please start doing THING for me"
...
- 26.1k
2
votes
OAuth Client Credentials Security Concern
Your current design does seem insecure: the company B can authenticate to your services via some secret, yet this secret must be transmitted to end user devices for your design to work. You can't ...
- 136k
2
votes
Accepted
How exactly is the cancellation token mechanism implemented over HTTP?
The usual cancellation token in ASP isn't transmitted at all, rather it comes from loss of transmission. If the connection between client and webserver is dropped while user code is generating content,...
- 15.3k
1
vote
Race condition when issuing a refresh token: worth addressing or not?
What the user sees: First time they use the application they need to enter their username and password or the app doesn’t work. Then for some time it just works, then at some unpredictable time (for ...
- 49.4k
1
vote
Race condition when issuing a refresh token: worth addressing or not?
I always address the race condition of multiple requests all wanting to refresh at the same time. But I never bother with the Error handling of client not getting the new token.
I think this is mainly ...
- 84.4k
1
vote
OAuth Client Credentials Security Concern
The big red flag for me here is the fact that you are using a single client access token for an entire company. If you expect one user's notes to be locked down to just that user, that user needs to ...
1
vote
Refresh Token Storage on cloud best practice?
If I may, I'll abstract your question into "I have something short and secure that needs to be stored - where can I store it?"
Secret Manager and RDS are both legitimate places to store ...
1
vote
Token based authentication to multiple API servers
Yes, if the attacker gains control over the auth server then they can generate their own tokens.
However there isn't much you can do about that. The auth server needs a private key in order to be able ...
- 84.4k
Only top scored, non community-wiki answers of a minimum length are eligible