Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Login validation #2

Closed
KristofferHebert opened this Issue Nov 9, 2015 · 7 comments

Comments

Projects
None yet
2 participants
@KristofferHebert
Copy link

KristofferHebert commented Nov 9, 2015

Hello,

On my project. It seems posting to /api/logins give you a token, no matter what. How would you use hooks for validation on the existing api/login route? Is there another way to validate the logins?

@marshallswain

This comment has been minimized.

Copy link
Member

marshallswain commented Nov 9, 2015

Can you give me some more details on what type of validation you are trying to do? If you're getting a token even if you post an empty body or random information, that's a bug. Please let me know if that's the case.

/api/login (no 's') is intended to be an endpoint specifically for (1) turning username/password data into a token or (2) exchanging an existing token for a fresh one.

For (1) above, It's only validating that the user exists and that the password is correct. If that validation passes, it gives a token back. That token is then passed in to the socket connection or as the Authentication header in an Ajax call. The feathers-authentication plugin will validate the token and set it up as the user that you can use in conjunction with feathers-hooks.

@KristofferHebert

This comment has been minimized.

Copy link
Author

KristofferHebert commented Nov 9, 2015

Doing a empty post request to /api/login returns a valid auth token.
Doing a post request to /api/login with invalid credentials returns a valid
auth token.

I put a authentication hook on my users and I am able to do crud actions
with the bearer token.

If you want to look at my code, here it is.

https://github.com/KristofferHebert/feathers-es6-passport

On Mon, Nov 9, 2015 at 1:32 PM, Marshall Thompson notifications@github.com
wrote:

Can you give me some more details on what type of validation you are
trying to do? If you're getting a token even if you post an empty body or
random information, that's a bug. Please let me know if that's the case.

/api/login (no 's') is intended to be an endpoint specifically for (1)
turning username/password data into a token or (2) exchanging an existing
token for a fresh one.

For (1) above, It's only validating that the user exists and that the
password is correct. If that validation passes, it gives a token back. That
token is then passed in to the socket connection or as the Authentication
header in an Ajax call. The feathers-authentication plugin will validate
the token and set it up as the user that you can use in conjunction with
feathers-hooks.


Reply to this email directly or view it on GitHub
#2 (comment)
.

@marshallswain

This comment has been minimized.

Copy link
Member

marshallswain commented Nov 9, 2015

Wow. That's such a user friendly login. So trusting! That should be a
simple fix. If you want to give it a shot, I'd love help. Thank you for
reporting. I should have an evening this week to work on it.
On Mon, Nov 9, 2015 at 1:50 PM Kristoffer Hebert notifications@github.com
wrote:

Doing a empty post request to /api/login returns a valid auth token.
Doing a post request to /api/login with invalid credentials returns a valid
auth token.

I put a authentication hook on my users and I am able to do crud actions
with the bearer token.

If you want to look at my code, here it is.

https://github.com/KristofferHebert/feathers-es6-passport

On Mon, Nov 9, 2015 at 1:32 PM, Marshall Thompson <
notifications@github.com>
wrote:

Can you give me some more details on what type of validation you are
trying to do? If you're getting a token even if you post an empty body or
random information, that's a bug. Please let me know if that's the case.

/api/login (no 's') is intended to be an endpoint specifically for (1)
turning username/password data into a token or (2) exchanging an existing
token for a fresh one.

For (1) above, It's only validating that the user exists and that the
password is correct. If that validation passes, it gives a token back.
That
token is then passed in to the socket connection or as the Authentication
header in an Ajax call. The feathers-authentication plugin will validate
the token and set it up as the user that you can use in conjunction with
feathers-hooks.


Reply to this email directly or view it on GitHub
<
#2 (comment)

.


Reply to this email directly or view it on GitHub
#2 (comment)
.

@marshallswain

This comment has been minimized.

Copy link
Member

marshallswain commented Nov 14, 2015

@KristofferHebert It's taking me longer than usual to finish everything thanks to some guy who stole my laptop. I had a couple minutes to work on it today and just pushed a commit that I think has solved the problem. I'll be adding tests for it, soon, but if you wouldn't mind trying it out, I'd very much appreciate it.

@marshallswain marshallswain added this to the 1.0 release milestone Nov 16, 2015

@KristofferHebert

This comment has been minimized.

Copy link
Author

KristofferHebert commented Nov 29, 2015

It looks like api/login has been secured. However I am no longer able to login. Is it just me?

@marshallswain

This comment has been minimized.

Copy link
Member

marshallswain commented Nov 29, 2015

I'm having pretty good luck with it in its current state. Have you debugged to see where it is failing?

@marshallswain

This comment has been minimized.

Copy link
Member

marshallswain commented Dec 27, 2015

@KristofferHebert I'm going to close this since it's working for me. If you are still having issues, please reopen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.