Add /register endpoint to DbAuthMiddleware

[lupohirp]

Hi

i'm implementing a dbAuth.
It works flawlessy, expect that if i want to register a user ( calling a post on users table for example from my frontend ) i can't.
Is there a way to bypass this security check?

[mevdschee]

Thank you for opening this issue.

Is there a way to bypass this security check?

Is this the xsrf check? If so, did you see #730, and did you try to double submit the/any xsrf value?

Kind regards, Maurits

[mevdschee]

Well I guess you don't want to give unauthorized users access to write all fields of the users table, so maybe we should add an /register endpoint in the DbAuthMiddleware, what do you think? What configuration would be required?

[mevdschee]

@rolandboon what do you think about this feature, how would/did you solve this?

[lupohirp]

Well I guess you don't want to give unauthorized users access to write all fields of the users table, so maybe we should add an /register endpoint in the DbAuthMiddleware, what do you think? What configuration would be required?

i think would be great! i think that it will need only username and password fields, once user has registered, we can exchange session cookie from client to server ( we could call /login endpoint to generate session cookie after registration ) to update user table if needed. Maybe only one api open on internet regarding the security.

[mevdschee]

Released: v2.9.26 Add /register endpoint

[mevdschee]

You need to enable this functionality with the "dbAuth.registerUser" parameter.

[lupohirp]

ok, it works thanks! i've improved a bit your implementation checking about if user is already registered :

     if (!$registerUser) {
                    return $this->responder->error(ErrorCode::AUTHENTICATION_FAILED, $username);
                }
     
            $condition = new ColumnCondition($usernameColumn, 'eq', $username);
            $returnedColumns = $this->getProperty('returnedColumns', '');
            if (!$returnedColumns) {
                $columnNames = $table->getColumnNames();
            } else {
                $columnNames = array_map('trim', explode(',', $returnedColumns));
                $columnNames[] = $passwordColumnName;
            }
            
             $columnOrdering = $this->ordering->getDefaultColumnOrdering($table);
            $results = $this->db->selectAll($table, $columnNames, $condition, $columnOrdering, 0, 1);
  
              
                if(!empty($results)){
                   return $this->responder->error(ErrorCode::USER_ALREADY_EXIST, $username);
                }

    const AUTHENTICATION_FAILED = 1012;

private $values = [
1020 => ["%s already exist", ResponseFactory::UNPROCESSABLE_ENTITY],

[mevdschee]

I applied your changes and also added the /password endpoint to allow a user to change their password.

[mevdschee]

Released: v2.9.28 Add /password endpoint