search

strongloop / loopback-component-passport

LoopBack passport integration to support third party logins and account linking
Other
139 stars 227 forks source link

UserCredential is allowing links of a single account to multiple users. No way to catch errors. #209

Closed luncht1me closed 7 years ago

luncht1me commented 7 years ago

I need some serious help here.

I have a problem, where I'm trying to link an OpenID to my user account.

It works fine, but thing is, I can then sign in as a different user and link that same OpenID account.

There is no validation or checking that a UserCredential is already linked with the same externalId to a different userId.

So, my thought was, why not just do userCredentialModel.validatesUniquenessOf('externalId', {message: "externalId already exists"}); ?

Turns out, this works fine, internally. Thing is, I'm not getting this error exposed up to my application. When I use a validatesUniquenessOf on any model elsewhere in the site, when the validation catches the error I can see the response both in my console and in my error handling for the application.

Spent hours and hours digging today on how to get this error, which passport sees (I can log it in component-passport's lib/models/user-credential.js by changing the callback at the end of the userCredentialModel.create to be

}, function(err, i) {
    console.log("user-credential", err, i);
    cb(err, i);
});

The console log shows the loopback validation error object as expected. But, even though it's passed into the callback here, it never appears within the application itself. I need to write some application logic around this validation error. But how can I if it's never bubbled back up to the server? It just seems to disappear silently inside the passport. The other thing is, my application does redirect to the failureRedirect url defined in my provider, but there's just no response data that I can find.

The res.statusCode is null, like the error is literally just ignored and we're passed on to the redirectUrl with no information as to why.

How am I supposed to handle this?? Why isn't the error exposed to the application, even though I'm using loopback-native validation on the model.

stale[bot] commented 7 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 7 years ago

This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.