Fixes #27 Strategy succeeds even if user is not found #28
Conversation
|
The tests expect the function to not return an error, anyone care to explain why this was the chosen functionality? |
|
Some of the tests are failing. I thought there was a reason why it is doing it that way, but @ekryski might know. |
|
@daffl Yes because sometimes you want to just create a JWT without anything in the payload (an anonymous JWT) or you may want to encode everything you need to make authorization decisions into the payload of a JWT that has a shorter TTL (for more scalable apps). Thanks for the PR @Metamist but I don't think we can merge this. However, I did leave a comment on the issue with a few options for you. #27 (comment) |
|
The problem is that this will return a valid JWT on any error, including database or syntax errors. I'm pretty sure that is the same problem @zusamann is having in his application (https://github.com/zusamann/feathers-socket-auth-issue) as well. |
|
I would think it should only do this on a |
|
Actually @daffl I don't think I'm having a slightly different error. The custom auth service I've written first finds the user with that username, and only then proceeds, so I'm sure it's not a case of user not being found. Secondly I don't think there are any syntax errors either, the service pretty much works for all cases correctly (correct username/pass, incorrect username/ incorrect pass). The token seems to be completely valid when returned. And works perfectly fine with the rest client. Only in the websocket client once authenticate call has been made, the rest of the calls fail due to the error |
|
Though in the repository I've shared there is no custom auth service in the latest commits as I was trying to simplify the logic and see if the error still persists, which it does. |
Does this have any side-effects?
OAuth2 authentication package does this already.