Hypertopic / LaSuli

Social annotation for qualitative analysis
https://hypertopic.org/lasuli
GNU General Public License v3.0
12 stars 4 forks source link

Any password should be usable for the annotation service #87

Open benel opened 5 years ago

benel commented 5 years ago

Among 130 students, 2 of them were unable to login to Argos through LaSuli, whereas they succeeded in Cassandre.

Because authentication settings are exactly the same on Argos and Cassandre, and because of the scarcity of the bug, I suspect password encoding to be not robust enough in LaSuli (contrary to Cassandre).

@christophe-lejeune Do you remember a similar bug you fixed in Cassandre ?

christophe-lejeune commented 5 years ago

I have recently restored one old rule in Cassandre code, that forces usernames (not passwords, of course) to be lowercase (ie: usernames are converted lowercase, whatever the user fills in the username field). Passwords remain untouched.

The reason for this rule was that our software (Cassandre + AAAforREST + LDAP) allows users to register with their username, even if they submit it with a mix of lower and uppercase (this is the case, in particular, for people using phones or tablets). I realized later that one username may create two (or more) different identities (corresponding to each mix of lower and uppercase, for the same username). Perhaps you are facing a similar problem (?).

I have to mention that, last yeay, I also faced a problem with one and only user, reporting that he was unable to log in Cassandre. However, given this student was not sure of his own password and because he did not stop to change his password (in order to solve the problem), I decided to ignore the problem (assuming that it was not coming from the software iteself).

benel commented 5 years ago

I see that Cassandre use serialize from jQuery which does URI encoding.

In contrast, LaSuli gets the value untouched.

benel commented 5 years ago

I will add password URI encoding in the next release of LaSuli. Thanks for your help :)

benel commented 4 years ago

It seems that the problem still exists (maybe with + or &). The issue needs further investigations.