Change password form exposes password text in URL as plain text

[brylie]

When submitting the Change Password form, passwords are exposed in the URL as plain text arguments. Submit the form as a POST to prevent the issue, and file a report with the upstream project (yogiben:meteor-starter).

[brylie]

This may be related to one or more upstream packages. I opened an issue with the Differential accounts entry package.

Edit: I was mistaken here. The form is simply written in our project as a template / AutoForm hook.

[bajiat]

To be considered: fixing by re-writing the form in our project.

[bajiat]

@mauriciovieira Could you be interested on this task? Brylie offers pair-programming assistance. If you are interested, can you estimate how many hours it takes to complete the task?

[mauriciovieira]

@bajiat yes, I am interested. It is really hard to estimate right now, so I ask @brylie to give me a hand on this.

[brylie]

When would you like to schedule a pair programming session?

[mauriciovieira]

@brylie tomorrow morning.

[brylie]

OK, what timezone?

[mauriciovieira]

Sorry. I am at GMT-0300, you GMT+0300. The common period is 2PM - 6PM your time.

[brylie]

Alright. How about 15:30 EET?

[brylie]

I am in #apinf on Freenode.

[mauriciovieira]

@brylie suggested to use https://atmospherejs.com/useraccounts/core if changing https://github.com/apinf/api-umbrella-dashboard/blob/b052727d8a57a5592e64226b1e9551eeafe3c703/lib/NCSchemas.js#L3 does not work.

[mauriciovieira]

TODO: Check out the AutoForm sandbox for examples.Take a look at AutoForm playground, SimpleSchema, and Collection2

[brylie]

@mauriciovieira a third, possibly simple, option would be to write the HTML form by hand. This would be trivial, as there are only three fields and a button.

Once you have a simple HTML form, you can override the form submit event in the Meteor template/form event to validate the submission (there is already code for this which should work with some changes).

[brylie]

One change that needs to be made to the existing event code is to use arguments that are available to Meteor template events. Specifically, each template event can catch two optional arguments event and template respectively.

Given the following HTML:

<form id="a-form">
  <input type="text" name="inputName">
  <input type="submit" value="Submit">
</form>

You can hook into the submit event like so:

Template.body.events({
  "submit #a-form": function (event, template) {
    // Do something with event and template, etc.

The event object will now have useful method(s) including the ability to get the value of form elements:

// Inside the event function
// Get the value of the "inputName" field
var fieldNameValue = event.target.inputName.value;

Further reading

• Your First Meteor Application Chapter 6: Events
• Your First Meteor Application Chapter 9: Forms
• Meteor Documentation Template events

[bajiat]

@mauriciovieira Hi, seems that you have been making good progress together with Brylie. Could you estimate the remaining hours in this task and move the task to "in progress" in the Waffle board?

[mauriciovieira]

@bajiat Hi. I am not able to change the card in the Waffle board, but only using github issues interface. This started happening today.

The work is almost done. Brylie is reviewing the Pull Request #505

[mauriciovieira]

@bajiat It is done.

[brylie]

PR is merged.