Closed patrickmcelwee closed 6 years ago
I think i simply forgot to add that middle-tier route. It is generic code based on the assumption that the demo users share a pwd. I can easily share it.
It is used in a lot of my demos, as it makes demoing real easy. You login once with a srrong pwd, and only after that you can use the switch endpoint.
It really is for demo purposes, but it would save me a lot of trouble if most code would be available already. I dont think it is a big security concern. We could wrap it in a hidden option, and disable it by default if you like.
ok ... adding the route instead seems reasonable. We might consider commenting out the route and the loginService method by default, with a note about enabling it.
Do you have to present the correct password for any users you switch between?
Comments or toggles, both could work..
Present pwd? No. Thinking about it now makes me realize it must have been taking pwd from the session in middle-tier. That might mean it would not work with digest auth (in which we should not be saving pwd in the session)..
It also refers to an '/api/user/switch' middle-tier route that doesn't exist.
I can see how this code could be helpful, and might actually be in use in some demos, but it seems to rely on a middle-tier route that is not in the project. I suggest removing the dead code, as in this PR.
Alternatively, the middle-tier it anticipates could be added, after vetting that it doesn't raise security concerns.