search

roottusk / vapi

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
GNU General Public License v3.0
1.17k stars 303 forks source link

Fix api2/user/login #30

Closed chovanecadam closed 2 years ago

chovanecadam commented 2 years ago

There is a discrepancy between postman docs that specify JSON payload and the current implementation that uses x-www-form-urlencoded. This pull request fixes this issue.

Currently this is possible:

curl http://localhost/vapi/api2/user/login -X POST -d 'email=savanna48@ortiz.com&password=zTyBwV/9'
# {"success":"true","token":"REDACTED"}

But the postman docs says the payload should be a JSON:

{
    "email":"",
    "password":""
}

After my change, the application accepts the JSON payload.

curl http://localhost/vapi/api2/user/login -X POST -H 'Content-Type: application/json' -d '{"email": "savanna48@ortiz.com", "password": "zTyBwV/9"}' -v
# {"success":"true","token":"REDACTED"}
roottusk commented 2 years ago

Could you confirm if you have tested this and its working fine? Thanks

roottusk commented 2 years ago

I believe in the previous code also it used to accept JSON, Maybe the code that you have committed strictly checks for JSON, Is that the case?