I have a requirement to mask user IDs in log files if the user ID is an email address. I can't access the code to the software we are using, so logback.xml is the only option I have to try and mask the e-mail address -- they want user1234#mycompany.org to show up as u******4#mycompany.org, so they can still search the logs if they need to find entries for someone. To complicate matters, there are other outputs to the logs that have the pattern something#something.com that aren't user IDs, so I need to find some keywords ahead of the e-mail address. Here are a couple of examples:
Initiating save of object; type: [User], id: [steven#verizon.net]
Cleaning user record; user: [steven#verizon.net]
And to further complicate things.... they also want to mask the E-mail in rest calls:
Request ended; method: [POST], uri: [/api/v2/token/validate?aid=web_demo&uid=steven%40verizon.net]
I've been trying to get something like this to work, capturing the strings that should prefix an email address or user ID, but I'm banging my head against the wall...
<maskRegex>(?:"user: ["|"[User], id: ["|"uid ["|"savedUser: "|"email_address"|"user"|"uid")\([a-zA-Z0-9]{1}([a-zA-Z0-9\+\.\_\-]{1,128}).#.*)"</maskRegex>
<maskRegex>(?:user: [|[User], id: [|uid [|savedUser: |email_address|user:|uid:)([a-zA-Z0-9]{1}([a-zA-Z0-9\+\.\_\-]{1,128}).#.*)</maskRegex>
Related
How does bot framework identify the user so it knows to go and grab correct state data? It identifies user correctly when same channel is used, even on different machines. Does it user IP address or something similar?
It is based on the Id property of the user + the channel Id. This user Id depends on the channel: each channel has a specific format of user Id, hence those 2 fields.
Examples:
Webchat: by default is userid but can be changed: user: { id: 'userid' },
Emulator: user ID is always set to default-user
Facebook Messenger: the user ID is a PSID (Page Scoped ID) of the user
Slack: the user ID is made of the concatenation of several parameters: Slack's Team ID, Slack's channel ID, and Slack's User ID
SMS: it's the phone number
Email: it's the email address
etc
deploying an internal (corporate) API manager 2.0.0 we found a limitation - the email address validation apparently enforces email validation with 2-4 email :
/store/site/themes/wso2/templates/ui/validation/custom-validation.js:
$.validator.addMethod('validEmail', function(value, element) {
var emailRegex = /^([A-Za-z0-9_\-\.])+\#([A-Za-z0-9_\-\.])+\.([A-Za-z]{2,4})$/;
return emailRegex.test(value);
}, i18n.t('Invalid email address'));
However - email addresses today may have even long last domain name (e.g. someuser#stad.gent, otheruse#my.internal.corporation)
I see the validation logic is implemented in the followinf file:
repository/deployment/server/jaggeryapps/store/site/themes/wso2/templates/ui/validation/custom-validation.js
Question: is the file the only place where the email format is enforced? (Users are managed in AD, so the default user view / management UI doesn't concern us too much atm)
Seems the only place where the email is validated is the script:
repository/deployment/server/jaggeryapps/store/site/themes/wso2/templates/ui/validation/custom-validation.js
I'm building REST API.
I have following structure
GET /user/{id} - get
POST /users - Create user
PUT /users/{id} - Update user
DELETE /users/{id} - Delete user
The problem is following. As I got from many tutorials/articles - it is bad practice to use action in URL. But what to do with such actions like:
check email (is unique)
recover user by email
?
Assume user registration. User submits form ( POST /users ) and I need to check if email is unique. Do I need to do it in same api method and return validation errors as response body?
Or do I need to create something like
POST /users/email
And what about user recovering by email? Where do I need to do it? Because recover is verb
POST /users/recover
I'm not sure, that I'm doing it right and I can't find correct explanation for that situation.
Validating the e-mail and registering the user
If you want, you can have an endpoint to check whether an e-mail is already registered or not. It's up to your requirements. So, you can have something as following and then send the e-mail which will be validated in the request payload:
POST /users/email/validation
{
"email": "mail#example.com"
}
The endpoint above can be invoke, for example, when the user completes the e-mail field of your account registration form.
However, do not forget checking if the e-mail is already registered when creating a user:
POST /users
{
"firstName": "John",
"lastName": "Doe",
"email": "mail#example.com",
"password": "123456"
}
If an e-mail is already registered, you could consider returning a 409 Conflict status code and a payload that includes enough information for a user to recognize the source of the conflict.
Recovering the password
I'm unsure if this is your requirement, because of this I posted a comment asking for clarification. I presume you are trying to recover the password of a user, assuming the user has no more access to their account.
If so, you could have an endpoint as following and then send the e-mail of the user in the request payload:
POST /users/password/recovery
{
"email": "mail#example.com"
}
Then your server can send a link with a token to the e-mail specified in the payload. Only send the e-mail if the e-mail specified in the payload is registered in your application, of course.
The link should take the user to a page where they will enter the new password and, when submitting, an endpoint to replace the password of the user will be invoked, sending the token and the new password to the server:
PUT /users/password?token=SomeValueGoesHere
{
"password": "654321"
}
I am trying to create users from a POST request sent from curl/httpie commands. Users are created in the User Model, but the password is stored in raw string format. This is what i do.
http POST http://127.0.0.1:8000/user/ username=taco password=123
This creates a User with the following credentials.
Now when I enter my admin site, and click on the details of user created. The password shows like this.
Invalid password format or unknown hashing algorithm.
Raw passwords are not stored, so there is no way to see this user's password, but you can change the password using this form.
I have automatic token creation system on user post_save. Token is also created. but when i put.
http POST http://127.0.0.1:8000/obtain/ username=taco password=123
url***/obtain goes to views.obtain_auth_token imported from rest_framework.authtoken.views from which I receive the token for the specified User.
but I get a error saying..
"non_field_errors": [
"Unable to log in with provided credentials."
]
I basically want to signup(create) a user from terminal(http/curl) and obtain their token from "/obtain"
No worries It so happened that you cant post password in raw string.
so by capturing the .username and .password from the query paramenter. I wrote a a create user code on my view , and set the password using .setpassword().
I want a Registration Form with only email + password. I am thinking to insert automatically email in username field. So, for eash user, I will have this:
username: example#example.com
password: mypassword
email: example#example.com
Of course email + password will be used in login process.
Is it a good solution to having 2 fields with the same value ? Or is there a more sofisticated solution ?
Thanks :)
Probably not a good idea to circumvent the expected regex validation on username which is r'^\w+$' (so no # or ., obviously). Also, there's a 30 character limit on username, so lots of email addresses won't fit.
You should write a custom auth backend that authenticates based on the actual email field - many people do this, so you can probably find samples on djangosnippets.
Two things to keep in mind - by default, the email field is non-unique. Also, you are almost definitely going to break the admin app, so you'll need to do some jiggery pokery if you want to use contrib.admin.