Async matcher does not handle rejections about zxcvbn HOT 7 CLOSED

I thought about a config parameter too but this is a bit tricky so first let's get rid of the major issue and than make it better 👍

from zxcvbn.

@RossCurry what do you except what should happen? I would simply return false for the matcher in case of an network error.

from zxcvbn.

Not sure about @RossCurry (on holiday atm), but I'd expect the promise to be rejected. Are there any considerations for not propagating errors like that?

from zxcvbn.

The problem is that if an error is thrown inside zxcvbn-ts it will not be further executed. Which means a user won't get a scoring for the password.
I would assume in most cases the Form has a validation for the password strength.
For example this would mean the user can not register anymore and will be pretty annoyed. An error like "Our password scoring is currently not working" is not something that the user will understand.

from zxcvbn.

That's a fair point, and I agree it's a sensible default for most usecases. For other usecases it's a dangerous default though as we'd fail silently. If we'd apply zxcvbn on a server with incorrect network policies (e.g. whitelisting domains that the server is allowed to access, where the pwnd domain is not whitelisten), then a sysadmin would never detect this misconfiguration.

That being said, I'm not sure how to best cater to all usecases though. Possibly a configuration function handleNetworkError: (error:Err) => boolean | Error (where the default is false)?

from zxcvbn.

@LaurensRietveld i published a new version for the pwned matcher

from zxcvbn.

Thanks a lot!

from zxcvbn.