-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change password form exposes password text in URL as plain text #436
Comments
This may be related to one or more upstream packages. I opened an issue with the Differential accounts entry package. Edit: I was mistaken here. The form is simply written in our project as a template / AutoForm hook. |
To be considered: fixing by re-writing the form in our project. |
@mauriciovieira Could you be interested on this task? Brylie offers pair-programming assistance. If you are interested, can you estimate how many hours it takes to complete the task? |
When would you like to schedule a pair programming session? |
@brylie tomorrow morning. |
OK, what timezone? |
Sorry. I am at GMT-0300, you GMT+0300. The common period is 2PM - 6PM your time. |
Alright. How about 15:30 EET? |
I am in #apinf on Freenode. |
@brylie suggested to use https://atmospherejs.com/useraccounts/core if changing https://github.com/apinf/api-umbrella-dashboard/blob/b052727d8a57a5592e64226b1e9551eeafe3c703/lib/NCSchemas.js#L3 does not work. |
TODO: Check out the AutoForm sandbox for examples.Take a look at AutoForm playground, SimpleSchema, and Collection2 |
@mauriciovieira a third, possibly simple, option would be to write the HTML form by hand. This would be trivial, as there are only three fields and a button. Once you have a simple HTML form, you can override the form submit event in the Meteor template/form event to validate the submission (there is already code for this which should work with some changes). |
One change that needs to be made to the existing event code is to use arguments that are available to Meteor template events. Specifically, each template event can catch two optional arguments Given the following HTML: <form id="a-form">
<input type="text" name="inputName">
<input type="submit" value="Submit">
</form> You can hook into the submit event like so: Template.body.events({
"submit #a-form": function (event, template) {
// Do something with event and template, etc. The // Inside the event function
// Get the value of the "inputName" field
var fieldNameValue = event.target.inputName.value; Further reading
|
@mauriciovieira Hi, seems that you have been making good progress together with Brylie. Could you estimate the remaining hours in this task and move the task to "in progress" in the Waffle board? |
* Use preventDefault() to not submit the form * Add updatePassword schema client-side validation * Add sAlert to master layout.
* Use preventDefault() to not submit the form * Add updatePassword schema client-side validation * Add sAlert to master layout.
@bajiat It is done. |
PR is merged. |
When submitting the Change Password form, passwords are exposed in the URL as plain text arguments. Submit the form as a POST to prevent the issue, and file a report with the upstream project (yogiben:meteor-starter).
The text was updated successfully, but these errors were encountered: