* Verify token signature in constant time
To prevent timing side channel attacks
* Run cheap checks first in token validation process
Expensive checks such as the nonce lookup on the database or the
signature check can be run after cheap/fast checks.
* docker: do not require password for PostgreSQL superuser
A password is now required by the postgres Docker image which makes
initial setup (and our CI build) fail with the following error:
postgres_1 | Error: Database is uninitialized and superuser password is not specified.
postgres_1 | You must specify POSTGRES_PASSWORD for the superuser. Use
postgres_1 | "-e POSTGRES_PASSWORD=password" to set it in "docker run".
postgres_1 |
postgres_1 | You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
postgres_1 | without a password. This is *not* recommended. See PostgreSQL
postgres_1 | documentation about "trust":
postgres_1 | https://www.postgresql.org/docs/current/auth-trust.html
See https://github.com/docker-library/postgres/issues/681.
* docker,kubernetes: create PostgreSQL "privacy" type before using it
Fixes the following error when setting up the database:
postgres_1 | 2020-02-21 01:01:22.371 UTC [172] ERROR: type "privacy" does not exist at character 200
postgres_1 | 2020-02-21 01:01:22.371 UTC [172] STATEMENT: CREATE TABLE public.playlists
postgres_1 | (
postgres_1 | title text,
postgres_1 | id text primary key,
postgres_1 | author text,
postgres_1 | description text,
postgres_1 | video_count integer,
postgres_1 | created timestamptz,
postgres_1 | updated timestamptz,
postgres_1 | privacy privacy,
postgres_1 | index int8[]
postgres_1 | );
postgres_1 | ERROR: type "privacy" does not exist
postgres_1 | LINE 10: privacy privacy,
* travis: do not run "docker-compose up" in detached mode
Rather, allow database to finish its setup procedure and grant
Invidious time to launch.
Try to read app config from the "INVIDIOUS_CONFIG" environment variable.
If the variable is undefined, read config from config.yml file as before.
Required by https://github.com/omarroth/invidious/pull/1015 et al.