Config auditor false negative

[kethinov]

An obscure situation can be triggered to cause the config auditor to pass when it shouldn't.

This was observed with the csrfProtection config defined in this old commit:

roosevelt/lib/scripts/configAuditor.js

Lines 255 to 257 in 88a3e64

	case 'csrfProtection':
	checkTypes(userParam, key, ['boolean'])
	break

In that config schema from that old commit, csrfProtection expects to only receive boolean config values, which was a bug that has since been fixed. However, while debugging, we noticed odd behavior that reveals a deeper bug.

If you change the config auditor back to only accept booleans for csrfProtection, then configure a Roosevelt app config in certain ways, the config audit won't fail in cases where it should.

Example configs:

If you configure a Roosevelt app config with:

"csrfProtection": {
  "exemptions": [
    "/login/openid",
    "/login/openid/auth"
  ]
},

It will not fail the config auditor, even though it should, because an object is not a boolean.

However if you give the app this config instead:

"csrfProtection": {
  "exemptions": [
    "/verify"
  ]
},

That will fail the config auditor. It's unclear why the two exemptions objects with different entries trigger different behavior.