Open flash548 opened 2 years ago
preaction
commented
2 years ago Crap. The API is supposed to filter out format: "password" fields for the GET requests so that when you save it can treat anything in that password field as a new password to hash. So, fixing that (Yancy::Controller should send the empty string for password fields on get() and list() actions) should fix this issue.
That and it's really really bad to send out password hashes to anyone who asks 😛
flash548
commented
2 years ago Lol yeah. Or could have some separate way to change passwords from the Editor.. that posts to a single endpoint that is just for this? But then I guess that would start getting opinionated. I came across this bug making my Mojo::Gateway proxy project (https://github.com/flash548/mojo-gateway) and just decided to host my own endpoint that then used the Yancy backend to change the password. Also any thought on having password expiration/changing feature? I can open a new feature request issue I suppose.... my gateway project does it manually in an under route, but I was thinking of maybe creating a Pull Request for Password.pm... or something like this already in the works?
When modifying a model item in the Yancy Editor (e.g 'user'), that has a field of type 'password', if you change any field OTHER than the password field (e.g 'email' or something), then submitting the form will cause the password type field to be re-hashed and persisted to the db - thereby changing the password unintentionally. Everything works fine if you send the password field (be it changed or unchanged) in plain-text so that the backend doesn't "rehash the hash".