Check usernameOnly parameter in passwordMatches #609

Merged
merged 2 commits into from Dec 4, 2016

Projects

None yet

5 participants

@lsohn
Contributor
lsohn commented Dec 4, 2016

When authenticating to dashboard using encrypted passwords, bcrypt throws an error in the authenticate function that userToTest.pass is undefined. This happens when the userToTest object does not contain a password, which happens every time deserializeUser is called. The solution is to check the usernameOnly flag when initializing passwordMatches to avoid passing an undefined value to bcrypt.

@facebook-github-bot
Collaborator

By analyzing the blame information on this pull request, we identified @JeremyPlease, @dvanwinkle and @johnnydimas to be potential reviewers.

@facebook-github-bot
Collaborator

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please sign up at https://code.facebook.com/cla - and if you have received this in error or have any questions, please drop us a line at cla@fb.com. Thanks!

If you are contributing on behalf of someone else (eg your employer): the individual CLA is not sufficient - use https://developers.facebook.com/opensource/cla?type=company instead. Contact cla@fb.com if you have any questions.

@facebook-github-bot
Collaborator

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks!

@70mmy
70mmy commented Dec 4, 2016 edited

Hi,

I just encountered this bug and got to the same conclusion, the passwordMatches check should not be done if usernameOnly is true

The solution in this pull request fixes the bug, but it actually forces to check if userToTest.pass is equal to user.pass which is still wrong since userToTest.pass is undefined.

I would replace that line with:

let passwordMatches = false;
if (!usernameOnly) {
    passwordMatches = this.useEncryptedPasswords ? bcrypt.compareSync(userToTest.pass, user.pass) : userToTest.pass == user.pass;
}
@lsohn
Contributor
lsohn commented Dec 4, 2016

Yeah either way is fine, I was just going for less is more. The statement user.pass == undefined evaluates to a boolean value, not undefined. If usernameOnly is true, then it doesn't matter whether passwordMatches is true or false since the (usernameOnly || passwordMatches) statement on the following line will always hold true.

@70mmy
70mmy commented Dec 4, 2016

You are right, both have the same result, I just thought my solution is easier to understand :D

@JeremyPlease

@lsohn Thanks for catching and fixing this!
That code could definitely use some cleanup 😶

Could you please add a test for this case to src/lib/tests/Authentication.test.js? Should be something like the the test for authenticates valid user with valid username and usernameOnly except with useEncryptedPasswords.

@facebook-github-bot
Collaborator

@lsohn updated the pull request - view changes

@JeremyPlease

Looks good!

@flovilmart
Collaborator

@JeremyPlease, feel free to merge!

@JeremyPlease
Contributor

@flovilmart I don't have merge access on this repo 😞

@flovilmart
Collaborator

And you can review :/ whatever GitHub :)

@flovilmart flovilmart merged commit b3fcf2b into ParsePlatform:master Dec 4, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment