[8.x] Add default timeout to NotPwnedVerifier #37440
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GrahamCampbell
requested changes
May 20, 2021
GrahamCampbell
changed the title
pgrenaud
force-pushed
the
notpwnedverifier-timeout
branch
from
81030fc
to
cb5ffc6
Compare
|
@GrahamCampbell Sorry about that! I've made the requested fixes. |
GrahamCampbell
requested changes
May 20, 2021
pgrenaud
force-pushed
the
notpwnedverifier-timeout
branch
from
cb5ffc6
to
3a0af0a
Compare
|
I think 3 or 5 seconds is appropriate amount of time to wait |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The NotPwnedVerifier makes HTTP request to verify that the given password has not been compromised in public breaches using the Have I Been Pwned public API. Any HTTP request made to an external service can hang for a long time if this service is under heavy load and not responding in a prompt manner. The HTTP request is made using Guzzle, which default to wait indefinitely.
This PR defines a default timeout value of 15 seconds to be use by the NotPwnedVerifier when making HTTP request to the API. The value of 15 seconds is a value that we use in production for some API. We could argue that this value could be higher or lower, and I would happily change it. But I do think that it is important that some timeout value be configured to prevent the request made by the end user from hanging for a long time or reaching PHP's max_execution_time of 30 seconds.
I would like to expose this value to the configuration (it is already configurable by the service provider), but I'm not sure in which configuration file it should be.
Also, I would have like to add a unit test to simulate this exact scenario, but unfortunately, since the request never reaches CURL in the testing environment, the timeout value has no effect.