You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Aug 29, 2018. It is now read-only.
The credentials are sent over the client and the feathers api server are unsecure.
<!DOCTYPE html><html><head><title>Feathers client</title></head><body><scriptsrc="//unpkg.com/feathers-client@^2.0.0/dist/feathers.js"></script><script>// feathers-client is exposed as the `feathers` global.varapp=feathers().configure(feathers.hooks()).configure(feathers.rest().fetch(fetch)).configure(feathers.authentication())app.authenticate({"strategy": "local","email": "test@example.com","password": "secret"}).then(result=>{console.log('Client authenticated',result);});</script></body></html>
The text was updated successfully, but these errors were encountered:
The above creates hash and saves in the database when a user is created. That is correct.
But if you print the request data in the before hook. You will find plain text password there.
app.service('authentication').hooks({
before: {
// You can chain multiple strategies on create method
create: [before(), auth.hooks.authenticate(['jwt', 'local'])],
remove: auth.hooks.authenticate('jwt')
},
after: {
create: [populateUser(config), discard('user.password'), restToSocketAuth()]
}
});
function before(options) {
// The hook function itself is returned.
return context => {
console.log(`* ${''}\ntype:${context.type}, method: ${context.method}`);
if (context.data) {
console.log('data:', context.data); // the password is recieved as plain text in the server, also during loggin in.
}
if (context.params && context.params.query) {
console.log('query:', context.params.query);
}
if (context.result) {
console.log('result:', context.result);
}
if (context.error) {
console.log('error', context.error);
}
};
}
You definitely have to use HTTPS but how is the server supposed to check if the given password matches if you already send it encrypted from the client? I'm sure there is passport strategies that create a hash of the password to send over but this is how local authentication works.
The credentials are sent over the client and the feathers api server are unsecure.
The text was updated successfully, but these errors were encountered: