Adds sign up verification, forgotten password reset, and other capabilities to local
feathersjs/authentication
.
In development
Adds sign up verification, forgotten password reset, and other capabilities to local feathers-authentication
License: MIT License
Adds sign up verification, forgotten password reset, and other capabilities to local
feathersjs/authentication
.
In development
I am massively confused while implementing Password Reset through reset tokens.
After following along with the guide posted on the other repo (which has no code snippets, I had to contact the author to get a working link, found here) I got to the point where the email verification worked and was ready to implement password resetting.
Looking at the library itself I tried the following:
{
"action": "sendResetPwd",
"value": {
"email": "[email protected]"
}
}
{
"action": "resetPwdLong",
"value": {
"token": "$2a$13$7pV8cawWwmDy3nufgvRjPeoy2l6dEC39UtFo86ozBYUdVG2jLzY0u",
"user": {
"email": "[email protected]"
},
"password": "here_my_password"
}
}
This gives a 'Token is not in the correct format.' error.
So I went digging into the library code itself, I noticed that it had a .indexOf('___') somewhere and decided to check what it wants. It wants the user id, combined with ___, followed by the token. So I made the body look like this:
{
"action": "resetPwdLong",
"value": {
"token": "5d47226499853a39a7778ca8___$2a$13$7pV8cawWwmDy3nufgvRjPeoy2l6dEC39UtFo86ozBYUdVG2jLzY0u",
"user": {
"email": "[email protected]"
},
"password": "here_my_password"
}
}
This gives a 'Invalid token. Get for a new one. (authManagement)'. I noticed that in that piece of code, it expects the token without the id___ prepended to it. I then tried to change that part of the library, but then it does a bcrypt.compare of 2 similar hashed tokens.
After all these hours, I started to notice that there are 2 repos:
If it is not by intention to mismatch the terms, I can create PRs to use consistent terminology on both repos.
tl;dr
What is the path to follow to implement the email verification, password reset etc.?
Best regards
Bart
Is one preferable over the over?
Thanks.
This continues feathersjs-ecosystem/feathers-authentication-management#85
luc.claustres [5:21 AM]
And about rate limiting this can be implemented easily using hoojs or low-level app control over requests
I would think this is something which should be implemented for any service not just this repo. I've therefore created this issue feathers-plus/generator-feathers-plus#100
Confirm I would think feathers-redux should handle it fine. You just have to make the same authManagement service calls the functions in src/client.js make.
Confirm this is so.
feathers-gen-specs.json
file from your app.src/services/[serviceName]/[serviceName].schema.?s
files if the issue involves the fields in one or more services.I verified that password change is sending the correct user, auth token and such down to the server. Then on this line
the authUser Id and the user1 (from the db) id are identical, but using === directly on them still returns false.
Changing this line to stringify the ids fixes the issue
if (options.ownAcctOnly && authUser && (`${getId(authUser)}` !== `${getId(user1)}`)) {
It might also make sense to do this in the get-id helper?
This follows on from feathersjs-ecosystem/feathers-authentication-management#85
luc.claustres [4:47 AM]
Hi, i think you can already limit password reset to verified user. And in the other case reset is pretty similar to register, an attacker will probably find a way to know if an email is in the DB anyway. What we should not do of course is weaking info like hashed passwords.
If authentication-local checks the isVerified field in the user record (if it exists), then the isVerified hook will not be needed.
Right now the repo hashes the password internally. The user has to condition the hashpassword()
so its not run when the repo is making the service call.
This is confusing. Let the hook do all the hashing.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.