Closed andreas-it-dev closed 4 years ago
OnnoGabriel
commented
4 years ago Hi @awunder, have you checked the password value in the database before and after the password reset?
Could it be that the new password is not hashed at all? Do you use hashPassword('password') in the patch method of your users service hooks (e.g. in services/users/users.hook.js)?
andreas-it-dev
commented
4 years ago hey @OnnoGabriel ,
thanks for the quick response.. yes, i do use those methods in my users.hooks.js:
const { authenticate } = require("@feathersjs/authentication").hooks;
const verifyHooks = require("feathers-authentication-management").hooks;
const accountService = require("../authmanagement/notifier");
const {
hashPassword,
protect,
} = require("@feathersjs/authentication-local").hooks;
module.exports = {
before: {
all: [],
find: [authenticate("jwt")],
get: [authenticate("jwt")],
create: [hashPassword("password"), verifyHooks.addVerification()],
update: [hashPassword("password"), authenticate("jwt")],
patch: [hashPassword("password"), authenticate("jwt")],
remove: [authenticate("jwt")],
},
after: {
all: [
// Make sure the password field is never sent to the client
// Always must be the last hook
protect("password"),
],
find: [],
get: [],
create: [
(context) => {
accountService(context.app).notifier(
"resendVerifySignup",
context.data
);
},
verifyHooks.removeVerification(),
],
update: [],
patch: [],
remove: [],
},
error: {
all: [],
find: [],
get: [],
create: [],
update: [],
patch: [],
remove: [],
},
};and the the pw is getting hashed and also changed. this is a recent example:
before requesting a pw-reset:
after making the request:
after changing the password:
appreciate your help, Andreas
OnnoGabriel
commented
4 years ago Ah, ok, it seems that you have to extend your users.hooks.js. The reason is, that feather-authentication-management is already hashing the new password. Then it saves the hashed password via the patch method of your user service, where (in your case) it is hashed again. To prevent this, you can limit hashPassword('password') to external calls. Thus, the password will not be hashed if feather-authentication-management calls the user service internally. For example:
const { hashPassword, protect } = require('@feathersjs/authentication-local').hooks
const verifyHooks = require("feathers-authentication-management").hooks;
const { iff, isProvider, preventChanges } = require('feathers-hooks-common')
[...]
patch: [
iff(
isProvider('external'),
preventChanges(
true,
'email',
'isVerified',
'verifyToken',
'verifyShortToken',
'verifyExpires',
'verifyChanges',
'resetToken',
'resetShortToken',
'resetExpires'
),
authenticate('jwt'),
hashPassword('password')
]See https://hackernoon.com/setting-up-email-verification-in-feathersjs-ce764907e4f2 for more details.
andreas-it-dev
commented
4 years ago fun fact: i followed that turorial until the last step.. i wanted to make it work though, before i bring in security :D
anyway, that did the trick, thanks a lot Onno!
OnnoGabriel
commented
4 years ago I'm glad I could help, Andreas.
I remember similar problems, when I started with this package. We should probably update the docs.
Steps to reproduce
Hi,
idk if it is me or the auth management, but when i reset the password, it wont change it to the desired value but anthing else, ending in a situation where i still cant sign in. here is a walk through made with feathers and postman:
i got the reset token and try to reset the pw:
i get the all clear message:
now, when trying to sign-in:
he wont let me in (not even with the old pasword)
i know the correct password is sent to the backend:
bonus question: is it supposed to have the reset token twice and only once with my new passord?
Expected behavior
it should reset the password to the desired value
Actual behavior
it changes it to some unknown value
System configuration
Module versions (especially the part that's not working): see my package.json:
NodeJS version: 12.18.1
Operating System: Windows 10
Browser Version: Chrome 83.0.4103.116 (Official Build) (64-bit)