Closed renzosunico closed 6 years ago
From the screenshot, I can see value for field origin
is set to false
. Where in the code you use this value to generate the token?
origin_url is our uid set in the auth config.
We have the following configuration:
jwt: {
serializer: 'lucid',
model: 'App/Models/User',
scheme: 'jwt',
uid: 'origin_url',
password: 'secret_key',
options: {
algorithm: 'HS256',
secret: Env.get('APP_KEY'),
expiresIn: 60 * 60 * 2 // 2 hours
}
}
In our controller:
const originUrl = request.input('origin_url')
const secretKey = request.input('secret_key')
const tokens = await auth
.withRefreshToken()
.attempt(originUrl, secretKey)
If originUrl
is equal to false
, it returns a valid token.
Which isn't incorrect.
So origin_url
is a field inside the database. The auth module simply queries the field based off the current value.
If your database has a row with the value of false
inside it, then the query will be considered successful and hence a token is generated for same.
We don't have an origin_url with false value in our database and it only happens when origin_url is boolean false. It doesn't create a valid token when origin_url is set to string false.
Okay that's interesting.
Can you share the SQL query created when boolean (false)
is used. You can turn on database debugging by setting debug: true
inside config/database.js
file
{ method: 'first',
options: {},
timeout: false,
cancelOnTimeout: false,
bindings: [ false, 1 ],
__knexQueryUid: 'knexqueryUid',
sql: 'select * from `users` where `origin_url` = ? limit ?' }
{ method: 'insert',
options: {},
timeout: false,
cancelOnTimeout: false,
bindings:
[ '2018-06-19 14:12:40',
false,
1,
'random-string-49c7-814f-abcdefgh',
'jwt_refresh_token',
'2018-06-19 14:12:40' ],
__knexQueryUid: 'knexqueryUid',
sql: 'insert into `tokens` (`created_at`, `is_revoked`, `user_id`, `token`, `type`, `updated_at`) values (?, ?, ?, ?, ?, ?)' }
I tried querying select * from
userswhere
origin_url= false
directly to database and it returns all rows if I remove the limit. By default, it will get the first row.
Might be related to this: https://stackoverflow.com/questions/6098875/false-value-in-where-clause-returns-all-rows
We have a bug in our app which sets the value of uid to false in each request. Surprisingly, a valid token is given after the request.
We can workaround this by not accepting boolean values in our app.
Sample postman request: