search

adonisjs / auth

Official Authentication package for AdonisJS
https://docs.adonisjs.com/guides/auth/introduction
MIT License
196 stars 64 forks source link

bug in multiple authenticator #119

Closed amirkheirabadi73 closed 6 years ago

amirkheirabadi73 commented 6 years ago

I've two authenticator config with the scheme as session that uses different tables. When I try to login every think is OK but when I want to give info about logged in user there are some problems.

For example I login as admin but in middleware, both of this code return true await auth.authenticator('admin').check() and await auth.authenticator('user').check()

Also when I want to get info about logged in user both of this code return a different user: await auth.authenticator('admin').getUser() and await auth.authenticator('user').getUser()

So I can't role of logged in user.

thetutlage commented 6 years ago

Can you share the config/auth.js file?

amirkheirabadi73 commented 6 years ago 
authenticator: 'user',

  admin: {
    serializer: 'lucid',
    model: 'App/Models/Admin',
    scheme: 'session',
    uid: 'email',
    password: 'password'
  },

  user: {
    serializer: 'lucid',
    model: 'App/Models/User',
    scheme: 'session',
    uid: 'email',
    password: 'password'
  },
thetutlage commented 6 years ago

How come users for different models (hopefully db tables too) can be same?

amirkheirabadi73 commented 6 years ago

Sorry @thetutlage, I don't understand your mean. As I said I have two roles in my system admin and user and both of them have the same field like email and password.

this my sign in action code: 

try {
      await auth.authenticator('user')
        .remember(request.input('remember'))
        .attempt(request.input('email'), request.input('password'))
    } catch (error) {
      try {
        await auth.authenticator('admin')
          .remember(request.input('remember'))
          .attempt(request.input('email'), request.input('password'))
      } catch (error) {
        session.flash({
          errors: ['wrong email or password']
        }).flashExcept(['password'])
        return response.redirect('back')
      }
    }

then in my middleware when I try to auth status:

async handle({
    request,
    auth,
    response
  }, next) {
    try {
      const userAuthenticator = auth.authenticator('user')
      await userAuthenticator.check()
    } catch (error) {
      try {
        const adminAuthenticator = auth.authenticator('admin')
        await adminAuthenticator.check()
      } catch (error) {
        return response.redirect('/auth')
      }
    }

    await next()
  }

Now my problem is there. when I logged in with admin email, password both of userAuthenticator.check() and adminAuthenticator.check() return true and userAuthenticator.getUser() return a user's record :|

thetutlage commented 6 years ago

Having 2 roles doesn't mean that they will be authenticated differently and neither you need 2 authenticators.

The user simply login and then you check for the user role for specific resources. You are approaching ACL in the wrong way.

thetutlage commented 6 years ago

Also since, it's not a bug. I suggest discussing this on a forum or the discord server

thetutlage commented 6 years ago

Closing since no response from the issue reporter and not actionable as well