Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User: Skipping password hash and contain plain password on the database #840

Closed
itpcc opened this issue Mar 24, 2018 · 1 comment
Closed

User: Skipping password hash and contain plain password on the database #840

itpcc opened this issue Mar 24, 2018 · 1 comment
Assignees
@lauriejim
Labels
issue: bug Issue reporting a bug status: duplicate Is a duplicate of another issue

Comments

@itpcc
Copy link

itpcc commented Mar 24, 2018
edited
Loading

Node.js version:
v8.10.0 LTS
npm version:
5.7.1
Strapi version:
3.0.0-alpha.11.1
Operating system:
WIndows 10:

PS D:\app> [System.Environment]::OSVersion.Version

Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      16299  0

Do you want to request a feature or report a bug?
Bug

What is the current behavior?
I create the Strapi app using strapi start. When I adding a user via http://localhost:1337/admin/plugins/content-manager/user/create?source=users-permissions, bcrypt.hash will work (bcryptjs is neither mentioned in the package.json file nor installed in node_modules folder. ), skip the checking process, and save into the database directly as a plain text.

So, when I tried to log in via POST http://localhost:1337/auth/local, it'll throw an error: Identifier or password invalid..

Strangely, If I use an admin credential, it'll work just fine, and save into database with a hashed password.

If the current behavior is a bug, please provide the steps to reproduce the problem

What is the expected behavior?
It should ~~~either~~~:

  • ~~Throw an error about bcrypt. Or ~~
  • Hash the password properly

Suggestion
I check using console.log and found that value send to User.add service (Path: \plugins\users-permissions\services\User.js) is in this form:

{ fields: { username: 'aasss', email: 'aa@ss.co', password: '111111' },
 files: {} }

But the logic used to check password exist was: (line 21)

if (values.password) {
      values.password = await strapi.plugins['users-permissions'].services.user.hashPassword(values);
    }

So, IMO, this line should be changed to:

if (values.password) {
      values.password = await strapi.plugins['users-permissions'].services.user.hashPassword(values);
    }else if(values.fields.password) {
      values.fields.password = await strapi.plugins['users-permissions'].services.user.hashPassword(values.fields);
    }

Oh, and the edit method too!
I test, and the problem solved. 😄
@lauriejim
Copy link
Contributor

Hi @itpcc follow this issue #765
Thank you for this report.

@lauriejim lauriejim self-assigned this Mar 25, 2018
@lauriejim lauriejim added the issue: bug Issue reporting a bug label Mar 25, 2018
@lauriejim lauriejim added the status: duplicate Is a duplicate of another issue label Mar 25, 2018
@snyk-bot snyk-bot mentioned this issue Sep 4, 2021
Open
@ebarahona ebarahona mentioned this issue May 13, 2022
Open
@Bhanditz Bhanditz mentioned this issue May 13, 2022
Open
@snyk-bot snyk-bot mentioned this issue Nov 5, 2022
Open
@Bhanditz Bhanditz mentioned this issue Nov 5, 2022
Open
@ebarahona ebarahona mentioned this issue Nov 5, 2022
Open
@ebarahona ebarahona mentioned this issue Dec 25, 2022
Open
@snyk-bot snyk-bot mentioned this issue Dec 25, 2022
Open
@Bhanditz Bhanditz mentioned this issue Dec 26, 2022
Open
@Bhanditz Bhanditz mentioned this issue Jun 25, 2023
Open
@Bhanditz Bhanditz mentioned this issue Nov 26, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lauriejim lauriejim

Labels
issue: bug Issue reporting a bug status: duplicate Is a duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@itpcc @lauriejim