E-mail verification step can be bypassed using Postman or Curl #391
Comments
|
@eddyystop Is this an issue with |
|
The question was originally posted at feathers-service-verify-reset. But all that repo does is const authentication = require('feathers-authentication');
// ...
app .configure(authentication);So I think the question belongs here. |
|
I don't think |
|
But |
|
Or is this yet another awkward technology moment for me :) I.e. "it's in the next version but the next version isn't stable yet"-itis. ;) |
|
No, everything is just in plugins, there isn't really a core. This repository just does the setup for authentication infrastructure that other plugins can use (e.g. |
|
Well, that's what the readme called it somewhere. :) I guess it means that it's in a feathersjs repo as opposed to a third-party one. And You're right at least in the sense that https://github.com/eddyystop/feathers-starter-react-redux-login-roles uses |
|
Oh sorry, |
|
Is this still an open issue? As @daffl mentioned it really has nothing to do with this module. It's either still an issue with https://github.com/feathersjs/feathers-authentication-management, or it's now been resolved. Since this this is months old without any activity, I'm going to close it, but @IBwWG or @eddyystop feel free to open an issue on https://github.com/feathersjs/feathers-authentication-management linking to this one if this is still a bug. |
|
I just want to point out that I'm not actually a feathers stakeholder. To me, closing this issue when it still has an open request for someone to address it, and hasn't been proven to have been fixed...well, I understand wanting to keep the issues list clean, but IMHO this isn't really a way to encourage passersby to report bugs. Meanwhile feathers-based projects relying on e-mail verification are vulnerable to spam via very easy automated account creation. |
|
@IBwWG we're trying to keep issues curated. We get more than enough bug reports so, with all due respect, I'm not sure that we have an issue with people creating issues and the intent is not to dissuade people from creating them. We actively welcome them! 😄 However, we have hundreds of open issues across multiple repos, if we just let things linger when there hasn't been any updated activity for months then we'd end up with thousands of issues and important, still relevant ones would get lost. Our opinion is that if it is important then people will make a comment like you did. It's very frequent that someone creates an issue, it's resolved, no activity happens for 6+ months and we have zero response from the issue creator. Then we have to guess as to whether it was actually a bug or just a misunderstanding by the issue creator.
Like I mentioned above, if you are experiencing this issue or at least think it is still an issue that is totally fine. It's easy to re-open an issue, but let's just track it in the correct location.
In all 3 cases, not a bug with this module. I've created an issue to track it feathersjs-ecosystem/feathers-authentication-management#17, please feel free to comment on there if have more insight into the problem. |
|
OK thanks @ekryski , I hope I didn't come across as antagonistic. My impression was we were still waiting for @eddyystop as to where it should properly be migrated; for my part, I don't even think I ended up using this feature in the demo I was making at the time I reported it, because it was broken and I didn't have time to fix it. I'm glad you reopened it elsewhere so it can get the attention it needs, because I think it's an important one for anyone using this feature. Anyway thank you for taking it seriously and taking the time to respond; I'm sorry I don't have more time to be involved myself. |
|
No worries! Like I said, we (I) tend to close issues earlier in the hopes that someone will comment to let us know that it is still active and important. We have an informal 1 month rule. If nothing has happened in 1 month then it must not be that important or it has already been resolved. 😄 |
|
I just want to highlight that this issue in feathers-authentication-management might also be depending on changing authentication-local. feathersjs-ecosystem/feathers-authentication-management#77 To quote @eddyystop comment "The only integration that I see needed is for feathers-authentication-local to be aware of some of the fields which this repo added to the user record. Perhaps also to be aware of the field |
|
Most needs can be covered by customizing the verifier. |
OK, so, as a newcomer, I really am not sure where exactly this issue fits into this repo, but @eddyystop is pretty involved here so I'm taking his word for it. :) (Original issue is at https://github.com/eddyystop/feathers-starter-react-redux-login-roles but I'm assured that it's not about that repo.)
Steps to reproduce
Expected behavior
Failure, since I never verified with the "e-mailed" token. (i.e. I didn't use the link that appears in the console at step 4.)
Actual behavior
Success and JWT token given via JSON. If you scrap the Accept header in step 5, you get a similar result served up in HTML.
System configuration
This is happening both on a Windows box and a Linux box am I testing on.
Module versions (especially the part that's not working):
feathers-authentication 0.7
feathers 2.0.3
NodeJS version:
Windows: node 7.3.0
Linux: node 6.9.2
Operating System:
Windows: 7x64sp1
Linux: Mint 17.3 (32-bit)
Module Loader:
see https://github.com/eddyystop/feathers-starter-react-redux-login-roles
The text was updated successfully, but these errors were encountered: