-
Notifications
You must be signed in to change notification settings - Fork 973
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug?]: Default dbAuth workflow leaks resetToken #6343
Comments
My feeling is that there are 2 possible options here.
|
Thanks for the report @maddijoyce! @cannikin could I hand this one off to you cause dbAuth? |
Yup, I’m on it!
… On Sep 5, 2022, at 8:30 AM, Dominic Saadi ***@***.***> wrote:
Thanks for the report @maddijoyce! @cannikin could I hand this one off to you cause dbAuth?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.
|
@dac09 Didn't we just update this function to only return a boolean, or throw an error? Was that in the TS strict stuff? |
Yeah we changed the template - but we mainly changed the templates though, but didn't change the dbAuthHandler underneath to throw an error, so I think it still needs a looking at. |
I don't know that we need to throw an error, just update this function to not return the same thing that came from that Then update |
Did you want to work on this one @maddijoyce? How does my suggestion above sound? |
Ah yeah that makes sense to me. Don't just limit the chance for leakage in the tutorial/generated code. Instead eliminate it entirely in the DbAuthHandler. I'd love to have a crack at this, so I'll check the contributor guide and push a PR. Cheers! |
Turns out it was easier to just strip |
We do have the ability to write codemods, so that your files are automatically updated by us during the |
Hey @maddijoyce any chance you still want to take this one? No problem if not, just say the word and I'll add to my own queue. :) |
What's not working?
After following the tutorial to get an idea of how redwood works, I was testing out the dbAuth functionality with the console open. I was looking at the response from the forgotPassword lambda (without changing anything from the scaffolded code) and it's returning the reset token:
How do we reproduce the bug?
Just follow the instructions here - https://redwoodjs.com/docs/auth/dbauth
At it's most basic, on a brand new redwood repo run:
yarn rw setup auth dbAuth
yarn rw g dbAuth
What's your environment? (If it applies)
System: OS: macOS 12.5 Shell: 3.3.1 - /opt/homebrew/bin/fish Binaries: Node: 16.13.0 - /private/var/folders/79/3b3vgxfs4633nxwvbjs0c0y00000gn/T/xfs-09c55961/node Yarn: 3.2.1 - /private/var/folders/79/3b3vgxfs4633nxwvbjs0c0y00000gn/T/xfs-09c55961/yarn Databases: SQLite: 3.37.0 - /usr/bin/sqlite3 Browsers: Chrome: 96.0.4664.55 Firefox: 104.0.1 Safari: 15.6 npmPackages: @redwoodjs/core: 2.2.3 => 2.2.3
Are you interested in working on this?
The text was updated successfully, but these errors were encountered: