Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthController allows invalid credentials #5

Closed
kiuka opened this issue May 27, 2016 · 2 comments
Closed

AuthController allows invalid credentials #5

kiuka opened this issue May 27, 2016 · 2 comments
Labels
bug

Comments

@kiuka
Copy link

kiuka commented May 27, 2016

Hello,

I try to integrate your plugin into Lumen 5.2, it seems work fine, except it allows invalid credentials.

When I send a request to /auth/login with email "jaoisdjsaod@ajsiod.hu" and password "ajsdoijsa" it returns a valid token

{"success":{"message":"token_generated","token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6Imh0dHA6XC9cL3BsYW50bWFuYWdlci1hcGkuZGV2XC9hdXRoXC9sb2dpbiIsImlhdCI6MTQ2NDM1NTkzNiwiZXhwIjoxNDY0MzU5NTM2LCJuYmYiOjE0NjQzNTU5MzYsImp0aSI6ImI1YmY4OTNhOTUyZGQwMDZiZWIxODFmMTkyNGEwMTJjIn0.3PhVhypGwegsH_2yNTeTMvDRqQApnakd6zaWsRJEC8I"}}

I was trying to determinate the problem, and it seems the error is somewhere around ApiGuard and TokenGuard.

ApiGuard:

    public function __construct(UserProvider $provider, Request $request)
    {
        $this->request = $request;
        $this->provider = $provider;
        **$this->inputKey = app('config')->get('auth.guards.api.identifier');
        $this->storageKey = app('config')->get('auth.guards.api.password');**
    }

TokenGuard validate function convert credentials:

    public function validate(array $credentials = [])
    {
        $credentials = [$this->storageKey => $credentials[$this->inputKey]];

        if ($this->provider->retrieveByCredentials($credentials)) {
            return true;
        }

        return false;
    }

so the output of the above will be:

['password' => '[emailaddress that I send]']

thus credentials does not match anything in EloquentUserProvider, cause it filter items with key 'password':

    public function retrieveByCredentials(array $credentials)
    {
        if (empty($credentials)) {
            return;
        }

        // First we will add each credential element to the query as a where clause.
        // Then we can execute the query and, if we found a user, return it in a
        // Eloquent User "model" that will be utilized by the Guard instances.
        $query = $this->createModel()->newQuery();

        foreach ($credentials as $key => $value) {
            if (! Str::contains($key, 'password')) {
                $query->where($key, $value);
            }
        }

        return $query->first();
    }

Could you help me what am I missing?
@krisanalfa krisanalfa added the bug label May 30, 2016
@krisanalfa
Copy link
Owner

Hi, @kiuka. I updated the source code. Let me know if it works fine.

@kiuka
Copy link
Author

kiuka commented May 30, 2016

It works fine now, thank you very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krisanalfa @kiuka