Err on null password login #1119

dbauszus-glx · 2024-02-07T13:08:24Z

User can be added with the api/user/add endpoint. These user have null as password. User with a null password cannot reset their password. The primary use case for these user is to provide a user object for SAML and other third party login.

The account should not get locked trying to login with a random password.

The fromACL method should return an appropriate error when a user with null password attempts to login with password.

The bcrypt method will crash the process attempting to compare string with null/object. This must not happen.

The user must returned as undefined fromACL to prevent the failed login counter to lock the account.

sonarcloud · 2024-02-07T13:08:51Z

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

dbauszus-glx added 2 commits February 7, 2024 12:56

Err on null password login

c25ae04

return fail message; do not lock account

8c74d5d

dbauszus-glx requested review from AlexanderGeere, RobAndrewHurst, simon-leech and cityremade February 7, 2024 13:08

dbauszus-glx added the Security Ticket relates to either the authentication process, security headers, and or encryption. label Feb 7, 2024

RobAndrewHurst approved these changes Feb 7, 2024

View reviewed changes

dbauszus-glx merged commit 2cf1041 into GEOLYTIX:main Feb 8, 2024
5 checks passed

dbauszus-glx deleted the null-password branch March 15, 2024 10:48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Err on null password login #1119

Err on null password login #1119

dbauszus-glx commented Feb 7, 2024

sonarcloud bot commented Feb 7, 2024

Err on null password login #1119

Err on null password login #1119

Conversation

dbauszus-glx commented Feb 7, 2024

sonarcloud bot commented Feb 7, 2024

Quality Gate passed