Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

E-mail verification step can be bypassed using Postman or Curl #391

Closed
IBwWG opened this Issue Jan 3, 2017 · 15 comments

Comments

Projects
None yet
5 participants
@IBwWG
Copy link

IBwWG commented Jan 3, 2017

OK, so, as a newcomer, I really am not sure where exactly this issue fits into this repo, but @eddyystop is pretty involved here so I'm taking his word for it. :) (Original issue is at https://github.com/eddyystop/feathers-starter-react-redux-login-roles but I'm assured that it's not about that repo.)

Steps to reproduce

  1. git clone https://github.com/eddyystop/feathers-starter-react-redux-login-roles/
  2. npm install
  3. npm start
  4. curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -H "Postman-Token: 95cf199c-f038-c893-7053-a8a09fbef2ca" -d 'name=i have a name&username=nammmmmmmmmmme&password=what the hey&confirmPassword=what the hey&email=yes@no.why' "http://localhost:3030/users"
  5. curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -H "Cache-Control: no-cache" -H "Postman-Token: 018a022f-bf1b-7e4f-cf11-db40a5fce490" -d 'email=yes@no.why&password=what the hey' "http://localhost:3030/auth/local"

Expected behavior

Failure, since I never verified with the "e-mailed" token. (i.e. I didn't use the link that appears in the console at step 4.)

Actual behavior

Success and JWT token given via JSON. If you scrap the Accept header in step 5, you get a similar result served up in HTML.

System configuration

This is happening both on a Windows box and a Linux box am I testing on.

Module versions (especially the part that's not working):

feathers-authentication 0.7
feathers 2.0.3

NodeJS version:

Windows: node 7.3.0
Linux: node 6.9.2

Operating System:

Windows: 7x64sp1
Linux: Mint 17.3 (32-bit)

Module Loader:

see https://github.com/eddyystop/feathers-starter-react-redux-login-roles

@daffl

This comment has been minimized.

Copy link
Member

daffl commented Jan 3, 2017

@eddyystop Is this an issue with feathers-service-verify-reset?

@eddyystop

This comment has been minimized.

Copy link
Member

eddyystop commented Jan 3, 2017

The question was originally posted at feathers-service-verify-reset. But all that repo does is

const authentication = require('feathers-authentication');
// ...
app .configure(authentication);

So I think the question belongs here.

@daffl

This comment has been minimized.

Copy link
Member

daffl commented Jan 3, 2017

I don't think feathers-authentication itself sets any tokens or sends emails. feathers-service-verify-reset has to do something to prevent users with a registration token to authenticate.

@IBwWG

This comment has been minimized.

Copy link
Author

IBwWG commented Jan 4, 2017

But feathers-service-verify-reset is part of core now...if not here, which repo are you suggesting?

@IBwWG

This comment has been minimized.

Copy link
Author

IBwWG commented Jan 4, 2017

Or is this yet another awkward technology moment for me :) I.e. "it's in the next version but the next version isn't stable yet"-itis. ;)

@daffl

This comment has been minimized.

Copy link
Member

daffl commented Jan 4, 2017

No, everything is just in plugins, there isn't really a core. This repository just does the setup for authentication infrastructure that other plugins can use (e.g. feathers-authentication-local etc.) but nothing else. It does not send emails, set tokens or register users. I'm trying to find out which plugin does the things you are mentioning and from all I can tell it's feathers-service-verify-reset.

@IBwWG

This comment has been minimized.

Copy link
Author

IBwWG commented Jan 4, 2017

Well, that's what the readme called it somewhere. :) I guess it means that it's in a feathersjs repo as opposed to a third-party one. And feathers-service-verify-reset has become first-party...hence my last comment.

You're right at least in the sense that https://github.com/eddyystop/feathers-starter-react-redux-login-roles uses feathers-service-verify-reset as opposed to a newer first-party way of doing things. However, if that deprecated repo does things the same way as the new first-party way of doing things, then there would be a bug there too, I think that's what eddyystop was getting at.

@daffl

This comment has been minimized.

Copy link
Member

daffl commented Jan 4, 2017

Oh sorry, feathers-verify-reset has been moved into the first party feathers-authentication-management. Maybe @eddyystop can weigh in what the best way to migrate would be (or if the redux plugin will be updated).

@ekryski ekryski added the Discussion label Jan 20, 2017

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Mar 24, 2017

Is this still an open issue? As @daffl mentioned it really has nothing to do with this module. It's either still an issue with https://github.com/feathersjs/feathers-authentication-management, or it's now been resolved.

Since this this is months old without any activity, I'm going to close it, but @IBwWG or @eddyystop feel free to open an issue on https://github.com/feathersjs/feathers-authentication-management linking to this one if this is still a bug.

@ekryski ekryski closed this Mar 24, 2017

@IBwWG

This comment has been minimized.

Copy link
Author

IBwWG commented Mar 25, 2017

I just want to point out that I'm not actually a feathers stakeholder. To me, closing this issue when it still has an open request for someone to address it, and hasn't been proven to have been fixed...well, I understand wanting to keep the issues list clean, but IMHO this isn't really a way to encourage passersby to report bugs. Meanwhile feathers-based projects relying on e-mail verification are vulnerable to spam via very easy automated account creation.

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Mar 25, 2017

@IBwWG we're trying to keep issues curated. We get more than enough bug reports so, with all due respect, I'm not sure that we have an issue with people creating issues and the intent is not to dissuade people from creating them. We actively welcome them! 😄

However, we have hundreds of open issues across multiple repos, if we just let things linger when there hasn't been any updated activity for months then we'd end up with thousands of issues and important, still relevant ones would get lost. Our opinion is that if it is important then people will make a comment like you did. It's very frequent that someone creates an issue, it's resolved, no activity happens for 6+ months and we have zero response from the issue creator. Then we have to guess as to whether it was actually a bug or just a misunderstanding by the issue creator.

I'm going to close it, but @IBwWG or @eddyystop feel free to open an issue on https://github.com/feathersjs/feathers-authentication-management linking to this one if this is still a bug.

Like I mentioned above, if you are experiencing this issue or at least think it is still an issue that is totally fine. It's easy to re-open an issue, but let's just track it in the correct location. feathers-authentication has nothing to do with email verification directly. If you are relying on an email being verified before you can authenticate with it, then it's one of 3 things:

  1. An issue with https://github.com/eddyystop/feathers-starter-react-redux-login-roles, which is not an official module and you should sort it out with @eddyystop.

  2. An issue with https://github.com/feathersjs/feathers-authentication-management, so we should record an issue there.

  3. Custom code/hooks that you should be adding yourself to check that an email has been verified before auth.hooks.authenticate() is called, and then it's more of a question and not an actual bug.

In all 3 cases, not a bug with this module. I've created an issue to track it feathers-plus/feathers-authentication-management#17, please feel free to comment on there if have more insight into the problem.

@IBwWG

This comment has been minimized.

Copy link
Author

IBwWG commented Mar 27, 2017

OK thanks @ekryski , I hope I didn't come across as antagonistic. My impression was we were still waiting for @eddyystop as to where it should properly be migrated; for my part, I don't even think I ended up using this feature in the demo I was making at the time I reported it, because it was broken and I didn't have time to fix it. I'm glad you reopened it elsewhere so it can get the attention it needs, because I think it's an important one for anyone using this feature. Anyway thank you for taking it seriously and taking the time to respond; I'm sorry I don't have more time to be involved myself.

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Mar 29, 2017

No worries! Like I said, we (I) tend to close issues earlier in the hopes that someone will comment to let us know that it is still active and important. We have an informal 1 month rule. If nothing has happened in 1 month then it must not be that important or it has already been resolved. 😄

@HarisHashim

This comment has been minimized.

Copy link

HarisHashim commented Sep 24, 2018

I just want to highlight that this issue in feathers-authentication-management might also be depending on changing authentication-local.

feathers-plus/feathers-authentication-management#77

To quote @eddyystop comment

"The only integration that I see needed is for feathers-authentication-local to be aware of some of the fields which this repo added to the user record. Perhaps also to be aware of the field softDelete adds."

@daffl

This comment has been minimized.

Copy link
Member

daffl commented Sep 24, 2018

Most needs can be covered by customizing the verifier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.