search

kahmali / meteor-restivus

REST APIs for the Best of Us! - A Meteor 0.9+ package for building REST APIs https://atmospherejs.com/nimble/restivus
MIT License
544 stars 117 forks source link

Try login with user who does not have password, crashes server #300

Open adamgins opened 5 years ago

adamgins commented 5 years ago

If you create a user by another means (eg Google login accounts-google) and a user tries to call rest '/login` route... it crashes the server.

20190105-08:52:59.677(11)? loginWithPassword 3 { _id: 'a5d8f6c3281c74b723751f7b',
I20190105-08:52:59.677(11)?   createdAt: 1546636267939,
I20190105-08:52:59.677(11)?   email: '`<some email>``',
I20190105-08:52:59.678(11)?   emails: [ { address: '<some email>', verified: true } ],
I20190105-08:52:59.678(11)?   dateUserInvited: null,
I20190105-08:52:59.678(11)?   invitingResourceID: null,
I20190105-08:52:59.678(11)?   completedSetup: true,
I20190105-08:52:59.679(11)?   profile: { channels: [ [Object] ] },
I20190105-08:52:59.679(11)?   services: { resume: { loginTokens: [] }, password: { reset: [Object] } },
I20190105-08:52:59.679(11)?   acceptedLicense: true,
I20190105-08:52:59.679(11)?   dateLicenseAccepted: 1546636289969,
I20190105-08:52:59.679(11)?   dateInitialSetup: 1546636297839 } test
W20190105-08:52:59.680(11)? (STDERR) /Users/adamginsburg/Documents/development/buzzy7/node_modules/bcrypt/bcrypt.js:150
W20190105-08:52:59.680(11)? (STDERR)             cb(new Error('data and hash must be strings'));
W20190105-08:52:59.680(11)? (STDERR)             ^
W20190105-08:52:59.681(11)? (STDERR) 
W20190105-08:52:59.681(11)? (STDERR) TypeError: cb is not a function
W20190105-08:52:59.681(11)? (STDERR)     at /Users/adamginsburg/Documents/development/buzzy7/node_modules/bcrypt/bcrypt.js:150:13
W20190105-08:52:59.681(11)? (STDERR)     at _combinedTickCallback (internal/process/next_tick.js:131:7)
W20190105-08:52:59.681(11)? (STDERR)     at process._tickDomainCallback (internal/process/next_tick.js:218:9)

Note user had tried to reset their password... so had reset not bcrypt ie password: { reset:

To solve this you need to check for the bycrypt and not just authenticatingUser.services?.password

https://github.com/kahmali/meteor-restivus/blob/devel/lib/auth.coffee#L55

ie 

 if not authenticatingUser.services?.password.bcrypt
    throw new Meteor.Error 401, 'Unauthorized'