search

colinskow / superlogin

Powerful authentication for APIs and single page apps using the CouchDB ecosystem which supports a variety of providers.
MIT License
370 stars 116 forks source link

Register vaildation failed #200

Open georgemccann opened 6 years ago

georgemccann commented 6 years ago

I have been using superlogin for almost 2 years without any issue. Over the last few weeks, the register functionality seems to have stopped working without any modification.

I have created a new vagrant box and set up couchdb, and superlogin from scratch, and am getting the very same error.

Using postman I get the following reponse when posting all values:

{ "error": "Validation failed", "validationErrors": { "email": [ "Email can't be blank" ], "username": [ "Username can't be blank" ], "password": [ "Password can't be blank" ], "confirmPassword": [ "Confirm password can't be blank" ] }, "status": 400 }

My script.js file looks like this: 

var express = require('express');
var http = require('http');
var bodyParser = require('body-parser');
var logger = require('morgan');
var cors = require('cors');
var SuperLogin = require('superlogin');

var app = express();
app.set('port', process.env.PORT || 3000);
app.use(logger('dev'));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(cors());

app.use(function(req, res, next) {
   res.header("Access-Control-Allow-Origin", "*");
   res.header('Access-Control-Allow-Methods', 'DELETE,POST, PUT');
   res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
   next();
});

var config = {
  dbServer: {
    protocol: 'http://',
    host: 'localhost:5984',
    user: '',
    password: '',
    userDB: 'sl-users',
    couchAuthDB: '_users'
  },
  mailer: {
    fromEmail: 'gmail.user@gmail.com',
    options: {
      service: 'Gmail',
        auth: {
          user: 'gmail.user@gmail.com',
          pass: 'userpass'
        }
    }
  },
  security: {
    maxFailedLogins: 3,
    lockoutTime: 600,
    tokenLife: 86400,
    loginOnRegistration: true,
  },
  userDBs: {
    defaultDBs: {
      private: ['defaultdbname']
    }
  },
  providers: { 
    local: true
  }
}

// Initialize SuperLogin 
var superlogin = new SuperLogin(config);

// Mount SuperLogin's routes to our app 
app.use('/auth', superlogin.router); 

app.listen(app.get('port'));
console.log("App listening on " + app.get('port'));
Aztec03hub commented 6 years ago

Same error, any word on this?

Aztec03hub commented 6 years ago

Okay, so first, this github's repo is different from what is downloaded via:

npm install --save superlogin@latest,

For whatever reason... If you have a local Redis and CouchDB server setup, download the repo directly and try running the tests.

Second, see if you have pouchdb-seed-design@0.3.0, if so, there's a few things you have to change.

(Colin screwed-up his design-doc parsing by accident in that version.)

superlogin-master/test/ddocs/test.js:

module.exports = {
  test: {
    views: {
      mytest: {
        map: function (doc) {
          emit(doc._id);
        }
      }
    }
  }
};

superlogin-master/designDocs:

module.exports = {
  auth: {
    views: {
      email: {
        map: function(doc) {
          if(doc.email) {
            emit(doc.email, null);
          } else if(doc.unverifiedEmail.email) {
            emit(doc.unverifiedEmail.email, null);
          }
        }
      },
      username: {
        map: function(doc) {
          emit(doc._id, null);
        }
      },
      verifyEmail: {
        map: function(doc) {
          if(doc.unverifiedEmail && doc.unverifiedEmail.token) {
            emit(doc.unverifiedEmail.token, null);
          }
        }
      },
      emailUsername: {
        map: function(doc) {
          emit(doc._id, null);
          if(doc.email) {
            emit(doc.email, null);
          } else if(doc.unverifiedEmail.email) {
            emit(doc.unverifiedEmail.email, null);
          }
        }
      },
      passwordReset: {
        map: function(doc) {
          if(doc.forgotPassword && doc.forgotPassword.token) {
            emit(doc.forgotPassword.token, null);
          }
        }
      },
      session: {
        map: function(doc) {
          if(doc.session) {
            for(var key in doc.session) {
              if(doc.session.hasOwnProperty(key)) {
                emit(key, doc._id);
              }
            }
          }
        }
      },
      expiredKeys: {
        map: function(doc) {
          if(doc.session) {
            for(var key in doc.session) {
              if(doc.session.hasOwnProperty(key) && doc.session[key].expires) {
                emit(doc.session[key].expires, {key: key, user: doc._id});
              }
            }
          }
        }
      }
    }
  }
};

superlogin-master/lib/util: (Look for Object.keys(providers).forEach(function(provider) {)

  Object.keys(providers).forEach(function(provider) {
    ddoc.auth.views[provider] = {
      "map": ddocTemplate.replace(new RegExp('%PROVIDER%', 'g'), provider)
    };

And that should do it.

I'm not sure how active this repo is, but when I have time I'll submit a pull request, or possibly fork this.

Let me know if this helped, @georgemccann :)

Aztec03hub commented 6 years ago

Here's a fork with changes implemented: https://github.com/PhilLaFayette/superlogin

jh97uk commented 6 years ago

Having this issue with your fork @PhilLaFayette :

{
    "error": "Validation failed",
    "validationErrors": {
        "message": "[object Object]",
        "stack": "Error: [object Object]\n    at /home/james/Documents/proj/node_modules/superlogin/lib/user.js:71:15\n    at <anonymous>\n    at process._tickCallback (internal/process/next_tick.js:188:7)"
    },
    "status": 400
}
Aztec03hub commented 6 years ago

Hm. @JamesHealdUK I will investigate tomorrow. I remember this cropping up.

EDIT: Also, what's your node and npm version numbers?

EDIT#2: Also, do you have a local copy of both Redis, and CouchDB going? My fault for not specifying, if that indeed is the case.

EDIT#3: Okay, so I just looked into it now. Try adding pertinent DB info to env.sh, and running that script, before doing npm test, It just worked for me with a fresh clone.

EDIT#4: Remember to delete any existing 'uncleaned' test users and database(s) from your couch/fauxton DB

EDIT#5: Also, try password-protecting your Redis instance, restarting the service, updating the pass in env.sh, and try again.

Lol. That should do it.

jetamartin commented 5 years ago

I'm trying to understand whether Superlogin is well supported and whether I should use it in my app. I've got the same issue "Registration validation failed" issue as noted here and it would seem like a critical issue that needs an immediate fix but the author isn't fixing this issue which was reported in February 2018 and it's now December 2018....hmmm...not a good sign.

Maybe I should be looking for an alternative solution...Anyone know of one that solves the same problems but is properly maintained?

jetamartin commented 5 years ago

Given my concerns above I reached out to Colin Skow on twitter to see if he was still actively maintaining SuperLogin. Here is his response:

I am open to turning the repository over to new maintainers if there is interest. I open source many of the tools I create, but don't have the time to support them all. Apologies.

I'm hoping some qualified individuals will be willing to pick up SuperLogin and maintain it. It'd be a shame to see it fall into disrepair.

Cheers.

georgemccann commented 5 years ago

Warning: I wouldn't use this in any live project at all. There's lots of npm vulnerabilities and using superlogin allowed a bitcoin miner to be installed on my server.

Someone has released a fixed version for this on NPM if you search for it. I can't remember the package unfortunately as I finished the project some time ago now.

jetamartin commented 5 years ago

Yikes!  Thanks for the heads up!!! Just curious...How did you detect the bitcoin miner (e.g., antivirus software?). Were there any obvious symptoms (e.g., significant server slowdown, etc.). I noticed there were quite a few vulnerabilities noted after doing installation and I  used the "npm audit" (?) command to fix some of them but as is typically the case this doesn't fix all vulnerabilities.  I'll research and see what I can come up with. Again, thanks for the heads up.  Regards,Jet   On Tuesday, December 18, 2018, 4:04:48 AM PST, georgemccann notifications@github.com wrote:

Warning: I wouldn't use this in any live project at all. There's lots of npm vulnerabilities and using superlogin allowed a bitcoin miner to be installed on my server.

Someone has released a fixed version for this on NPM if you search for it. I can't remember the package unfortunately as I finished the project some time ago now.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

georgemccann commented 5 years ago

I use AWS and have cloudwatch on the go. The CPU usage started to hit 100% and crash the server after a couple of weeks of deploying the app.

The virus that was installed was particularly foul, as it was able to change it's name to stop you from killing the tasks. I had to destroy the server, and rebuild with the fixed version with updated npm packages.

I'd really look into alternatives to superlogin.

jetamartin commented 5 years ago

George,  thanks for the info.  I've already installed Superlogin...does that mean I'm already infected (bitcoin miner was in the Superlogin code or one of it's packages?) Or does the bitcoin miner exploit the "weaknesses" in some of the npm dependencies making my system open to attack? Thoughts? I'm not familiar with any alternatives to Superlogin...but I guess I will have to start looking now.  FYI, when I did the the npm install it noted 22 vulnerabilities with the packages and ZERO of them could be automatically fixed via "npm audit fix".  If the vulnerabilities are not fixed (thus making it susceptible to attack) then I feel like this needs to be POSTED PROMINENTLY on Github (e.g., README) so others don't fall victim to it.  I was completely unaware of the threat until you said something.  Regards, Jet  On Tuesday, December 18, 2018, 9:13:12 AM PST, georgemccann notifications@github.com wrote:

I use AWS and have cloudwatch on the go. The CPU usage started to hit 100% and crash the server after a couple of weeks of deploying the app.

The virus that was installed was particularly foul, as it was able to change it's name to stop you from killing the tasks. I had to destroy the server, and rebuild with the fixed version with updated npm packages.

I'd really look into alternatives to superlogin.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

jetamartin commented 5 years ago

George,  (not sure if I already said this or not but..) I contacted Colin via twitter and said he was going to "try" and update Superlogin to at least address the open vulnerabilities.  Hopefully he will have time to do so. On a related topic PhilLafayette created a clone in response to  the "Register validation failed" issue that you originally submitted. I tried the clone and I'm still having the same exact issues. Either his clone didn't fix the issue or I'm doing something wrong.  Do you happen to know how to get in touch with him? He seems to be a ghost...no email listed in gitHub, no obvious twitter address (Unless his side gig is giving jamaican cruiseship tourists tours of the island..IREE...LOL).   I know that his clone didn't address the outstanding vulnerabilities but I wanted to at least end on a superlogin highnote and be able to register a user...in the event that Colin doesn't address the vulnerabilities.  I've sunk so much time into Superlogin I'd like to have some inkling of success if I'm forced to abandon it.  Regards,Jet   

On Tuesday, December 18, 2018, 9:13:12 AM PST, georgemccann <notifications@github.com> wrote:

I use AWS and have cloudwatch on the go. The CPU usage started to hit 100% and crash the server after a couple of weeks of deploying the app.

The virus that was installed was particularly foul, as it was able to change it's name to stop you from killing the tasks. I had to destroy the server, and rebuild with the fixed version with updated npm packages.

I'd really look into alternatives to superlogin.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

jetamartin commented 5 years ago

@PhilLaFayette FYI I tried the cloned version you built to correct this issue but it failed to correct the issue for me. I'm getting the same failed results.

Are the files you noted in your first post the corrected file changes that you made to your clone? It wasn't clear...you just listed them but didn't say what you had fixed or if these were just the errant files? Can you clarify?

You stated:

superlogin-master/lib/util: (Look for Object.keys(providers).forEach(function(provider) {)

Again unclear...you say "Look for"...Are you trying to say this is what's wrong with the file or what?

In your post in response to @JamesHealdUK you stated:

EDIT#2: Also, do you have a local copy of both Redis, and CouchDB going? My fault for not specifying, if that indeed is the case.

I presume you were trying to say you need a local copy of CouchDB and Redis? If so is it really necessary to use Redis?

EDIT#3: Okay, so I just looked into it now. Try adding pertinent DB info to env.sh, and running that script, before doing npm test, It just worked for me with a fresh clone.

What "pertinent DB info" are you referring to? I see that there is COUCH_USER = 'sladmin' and COUCH_PASS="sladminpass". Do we need to change these to match accounts info for our local couchDB?

EDIT#4: Remember to delete any existing 'uncleaned' test users and database(s) from your couch/fauxton DB

Not sure what you mean by 'uncleaned' test users?

Thanks

georgemccann commented 5 years ago

@jetamartin This is the npm package I used https://www.npmjs.com/package/@sensu/superlogin

This one seems to be clean and stable and I haven't had any problems with it.

jetamartin commented 5 years ago

George,   Thanks for the pointer. I tried it yesterday but I'm encountering the same validation error (i.e., status 400 noting fields can't be blank) that I received on superlogin. Maybe I'm doing something wrong? I've tried to follow the "Quick Start" example exactly as specified. Maybe there is some subtlety that I'm missing??? 

I have a local copy of CouchDB running at default port ( with an admin account defined username = admin, password = password). Note:  I have tried changing the DbServer config object to specify that admin account username and password and I've also just left it blank as in the "Quick Start" example but both yielded the same Validation error.  My express "server" is listening on port 3000. I'm using Postman to send the request via x-www-form-urlencoded (assuming key & values need to be wrapped in quotes).  I'm at a loss as to what to try next? Any thoughts? Thanks in advance.

On Wednesday, December 19, 2018, 1:09:34 AM PST, georgemccann <notifications@github.com> wrote:

@jetamartin This is the npm package I used https://www.npmjs.com/package/@sensu/superlogin

This one seems to be clean and stable and I haven't had any problems with it.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

chrispahm commented 5 years ago

Hey @jetamartin, hope you haven't lost all hope yet. I just found myself in the same situation that you were describing, where @sensu/superlogin throws the same validation error upon signup as the the current npm version of superlogin.
For me, installing @PhilLaFayette's version with

npm i https://github.com/PhilLaFayette/superlogin/tarball/master

fixed it. Hope it does for you as well, or some other person that stumbles upon this.

jetamartin commented 5 years ago

Hey Christoph,   Thanks for the followup...I actually did give up on Superlogin. I reached out to Colinskow (the author) via twitter in December to see if he had plans to fix Superlogin and he said he would try and fix it in December but I've seen nothing from him...which is a bummer. For now I'm rolling my own now. But if that falls through then I may revisit the version that you referenced. Thanks again! Really appreciate the follow up.  Cheers,Jet

On Tuesday, February 19, 2019, 10:31:33 AM PST, Christoph Pahmeyer <notifications@github.com> wrote:

Hey @jetamartin, hope you haven't lost all hope yet. I just found myself in the same situation that you were describing, where @sensu/superlogin throws the same validation error upon signup as the the current npm version of superlogin. For me, installing @PhilLaFayette's version with npm i https://github.com/PhilLaFayette/superlogin/tarball/master

fixed it. Hope it does for you as well, or some other person that stumbles upon this.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

bcjat commented 5 years ago

@jetamartin have you found any solution. Here same issue tried all suggesion from comments.