Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized Login with wrong password #18

Open
basuabhirup opened this issue Sep 17, 2021 · 3 comments
Open

Unauthorized Login with wrong password #18

basuabhirup opened this issue Sep 17, 2021 · 3 comments

Comments

@basuabhirup
Copy link

As reported by some of our fellow students. The issue is something like this:

  1. Go to localhost:3000/secrets
    --this should reroute you to the login page because you are not authenticated yet.

  2. Login with the CORRECT email BUT USE AN INCORRECT PASSWORD.
    --You won't be redirected to the /secrets route.

  3. Now manually go into localhost:3000/secrets
    --you should have access to the secrets page now despite having entered the wrong password.

I have the following suggestion to fix this issue by modifying the handler function of POST requests made on the /login route::

 // Handle 'POST' requests made on the '/login' route:
app.post('/login', passport.authenticate('local', {
  successRedirect: '/secrets',
  failureRedirect: '/login',
}));

As the official documentation page of passportJS says - "calling passport.authenticate() middleware invokes req.login() automatically", hence no need to call it separately before authenticating, leaving a glitch for unauthorized access.
@xwilliam89
Copy link

Glad I'm not the only one. Thank you for sharing @basuabhirup !
Yes, this is definitely a terrible bug. I hope Angela is able to fixes it in the next course update.

Let me share my solution as well. I just use their Custom Callback example:

app.post('/login', function(req, res, next) {
passport.authenticate('local', function(err, user, info) {
if (err) { return next(err); }
if (!user) { return res.redirect('/login'); }
req.logIn(user, function(err) {
if (err) { return next(err); }
return res.redirect('/secrets');
});
})(req, res, next);
});

@cleytonap
Copy link

I've came across the same issue.

Thanks a lot for sharing the solution, @basuabhirup!

@regan-mu
Copy link

regan-mu commented Jul 15, 2022
edited
Loading

I think the problem is login in a user before you authenticate them.
Here's my work around as well.

app.route("/login")
    .get((req, res) => {
        res.render("login");
    })
    .post((req, res, next) => {
        const email = req.body.username;
        const password = req.body.password;
        const newUser = new User(
            {
                username: email,
                password: password
            }
        );
        passport.authenticate("local", (err, user) => {
            if (err) {
                return next(err);
            }
            if (!user) {
                res.redirect("/login");
            }
            else {
                req.login(newUser, (err) => {
                    if (err) {
                        return next(err);
                    } else {
                        res.redirect("/secrets");
                    }
                });
            }
        })(req, res, next);
    });

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@regan-mu @xwilliam89 @basuabhirup @cleytonap