Closed AbegaM closed 4 months ago
Auth mode enabled and not enabled
.
I have tested this by creating the .env
file and assigning AUTH = true
, which enables the Auth
mode. Subsequently, it creates the tables in foobar.db
.
However, if the Auth
mode is not enabled, it creates the database with the name foobar.db
but does not create the tables. Then, when I attempt to create tables manually and create a user using the endpoint /api/tables/_users/rows
, it successfully creates the user but returns the following error message:
Please restart soul so a default role can be created
.
So, if the Auth
is disabled, why is this error message showing?
Auth mode enabled and not enabled
. I have tested this by creating the.env
file and assigningAUTH = true
, which enables theAuth
mode. Subsequently, it creates the tables infoobar.db
. However, if theAuth
mode is not enabled, it creates the database with the namefoobar.db
but does not create the tables. Then, when I attempt to create tables manually and create a user using the endpoint/api/tables/_users/rows
, it successfully creates the user but returns the following error message:Please restart soul so a default role can be created
. So, if theAuth
is disabled, why is this error message showing?
Hello @TahaKhanAbdalli, if the AUTH
mode is disabled, there is no need to create users. The registration process will be skipped, and there will be no need to create roles. In this case, we have planned to make the _users
table name reserved, meaning it will not be allowed to create a table with this name in the DB, so you only need to test the authentication feature by setting AUTH
to true
Okay, that should resolve the error. But in my opinion, there should be an additional check which confirms whether the AUTH
is enabled or not.
Okay, that should resolve the error. But in my opinion, there should be an additional check which confirms whether the
AUTH
is enabled or not.
Sure, when a user tries to access the reserved resources like _roles
, _roles_permissions
, _users
and _users_roles
while AUTH
is set to false
we can throw an error saying, You can't access this endpoint while AUTH is set to false
But @AbegaM - this looks like a legitimate use of the app. It may be a bit niche, but I see the logic in being able to do user management with auth (temporarily) switched off, then switch auth back on.
Please restart soul so a default role can be created
This warning suggest code is going down a route it shouldn't, if auth is off.
But @AbegaM - this looks like a legitimate use of the app. It may be a bit niche, but I see the logic in being able to do user management with auth (temporarily) switched off, then switch auth back on.
Please restart soul so a default role can be created
This warning suggest code is going down a route it shouldn't, if auth is off.
Note that this error message is not shown when AUTH
is disabled, if AUTH
is disabled there is no reason for the user to use the /_users
endpoint, The error is thrown when the code fails to get the default
role in the DB
@IanMayo and we have decided to make the default table names reserved
so if the user tries to set the AUTH
to false
and then tries to create a table by using the reserved table names like _users
they will get an error
@IanMayo and we have decided to make the default table names
reserved
so if the user tries to set theAUTH
tofalse
and then tries to create a table by using the reserved table names like_users
they will get an error
Sure. Tables with reserved names cannot be created. But, I see running with auth disabled
as being like running as super-user
- able to change (almost) any thing.
@IanMayo The issue you mentioned about Souls default
endpoints being accessed while AUTH
is set to false
is fixed now, i have added a check that throws an error when a user tries to access the default
endpoints when AUTH
is set to false
@thevahidal The comments in this PR are fixed, please let us know if you have additional comments
Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Our GitHub checks need improvements? Share your feedbacks!
Modifications
processRequest
to remove some fields from the/api/tables/_users
API callprocessResponse
to redirect an API call to the user registration endpoint