search

openMF / web-app

Mifos X Web App is the revamped version of the Mifos X Community App built on top of the Fineract Platform leveraging the popular Angular framework.
https://openmf.github.io/web-app/
Mozilla Public License 2.0
230 stars 533 forks source link

Cannot log-in with passwords containing '#' #473

Closed MagicKriss closed 5 years ago

MagicKriss commented 5 years ago

Description

User with a password containing '#' can be created, but cannot be loged in. This is because the password for authentication is sent in a non-encoded query parameter. As a minimum, the query parameter should be encoded. An even better solution would be to send credentials in a request body. Although the query parameter is sent over Secure HTTP, the incoming URL with parameters may still be logged in servers, and browsers may save requests in history, which raises security concerns.

Steps to Reproduce

  1. Create a user with a password containing '#' character. E.g. 'password#123'.
  2. Try to log in with that user.

Expected Behaviour

User can log in.

Actual Behaviour

User cannot log in because '#' character and everything after that gets ignored by the browser.

abhaychawla commented 5 years ago

@MagicKriss There is an existing issue for the same at the backend: https://issues.apache.org/jira/browse/FINERACT-629