Adds sign up verification, forgotten password reset, and other capabilities to local feathers-authentication

License: MIT License

JavaScript 100.00%

authentication-local-management's People

Contributors

Stargazers

Watchers

Forkers

nickbolles binarygrrl

authentication-local-management's Issues

Implement rate limiting to harden against hacking

This continues feathersjs-ecosystem/feathers-authentication-management#85

luc.claustres [5:21 AM]
And about rate limiting this can be implemented easily using hoojs or low-level app control over requests

I would think this is something which should be implemented for any service not just this repo. I've therefore created this issue feathers-plus/generator-feathers-plus#100

What is the difference between this plugin and the feathers-plus/feathers-authentication-management?

Is one preferable over the over?

Thanks.

Change authentication-local to check the isVerified field.

If authentication-local checks the isVerified field in the user record (if it exists), then the isVerified hook will not be needed.

Review articles for pain points

feathersjs-ecosystem/feathers-authentication-management#13

Inaccurate 'Can only affect your own account' error

Steps to reproduce

Tell us what broke. The more detailed the better.
Include the feathers-gen-specs.json file from your app.
Include the src/services/[serviceName]/[serviceName].schema.?s files if the issue involves the fields in one or more services.

I verified that password change is sending the correct user, auth token and such down to the server. Then on this line

the authUser Id and the user1 (from the db) id are identical, but using === directly on them still returns false.

Changing this line to stringify the ids fixes the issue

  if (options.ownAcctOnly && authUser && (`${getId(authUser)}` !== `${getId(user1)}`)) {

It might also make sense to do this in the get-id helper?

API to check if tokens are still valid, without changing password

Copied from feathersjs-ecosystem/feathers-authentication-management#2

Limit password reset to the verified user

This follows on from feathersjs-ecosystem/feathers-authentication-management#85

luc.claustres [4:47 AM]
Hi, i think you can already limit password reset to verified user. And in the other case reset is pretty similar to register, an attacker will probably find a way to know if an email is in the DB anyway. What we should not do of course is weaking info like hashed passwords.

Check client-side integration with Redux

Confirm I would think feathers-redux should handle it fine. You just have to make the same authManagement service calls the functions in src/client.js make.

Confirm this is so.

Let hooks hash the password rather than do so internally

Right now the repo hashes the password internally. The user has to condition the hashpassword() so its not run when the repo is making the service call.

This is confusing. Let the hook do all the hashing.

Massive confusion regarding password resets. F-A-M / A-L-M

I am massively confused while implementing Password Reset through reset tokens.

After following along with the guide posted on the other repo (which has no code snippets, I had to contact the author to get a working link, found here) I got to the point where the email verification worked and was ready to implement password resetting.

Looking at the library itself I tried the following:

Do a POST with the following body:

{
    "action": "sendResetPwd",
    "value": {
        "email": "[email protected]"
    }
}

Get the 'resetToken' from the user.
Do a POST with the following body:

{
    "action": "resetPwdLong",
    "value": {
        "token": "$2a$13$7pV8cawWwmDy3nufgvRjPeoy2l6dEC39UtFo86ozBYUdVG2jLzY0u",
        "user": {
            "email": "[email protected]"
        },
        "password": "here_my_password"
    }
}

This gives a 'Token is not in the correct format.' error.

So I went digging into the library code itself, I noticed that it had a .indexOf('___') somewhere and decided to check what it wants. It wants the user id, combined with ___, followed by the token. So I made the body look like this:

{
    "action": "resetPwdLong",
    "value": {
        "token": "5d47226499853a39a7778ca8___$2a$13$7pV8cawWwmDy3nufgvRjPeoy2l6dEC39UtFo86ozBYUdVG2jLzY0u",
        "user": {
            "email": "[email protected]"
        },
        "password": "here_my_password"
    }
}

This gives a 'Invalid token. Get for a new one. (authManagement)'. I noticed that in that piece of code, it expects the token without the id___ prepended to it. I then tried to change that part of the library, but then it does a bcrypt.compare of 2 similar hashed tokens.

After all these hours, I started to notice that there are 2 repos:

feathers-authentication-management a.k.a. f-a-m which has feathers-local-management a.k.a. f-a-l on top of its README.md file.
this repo authentication-local-management which has feathers-authentication-management on top of its docs.md file.

If it is not by intention to mismatch the terms, I can create PRs to use consistent terminology on both repos.

tl;dr
What is the path to follow to implement the email verification, password reset etc.?

Best regards
Bart

Discussing enhancements and changes for V3 rewrite

Transfer from feathersjs-ecosystem/feathers-authentication-management#114

feathers-plus / authentication-local-management Goto Github PK