G'day all,
Does anyone have any experience with the Waterlock flow for passsword resets? I've hit a wall which I can see a work-around for, but it seems really in-elegant, so I'm probably missing something.
When I send through an auth/reset POST with an email element, the system proceeds to shoot the email out as planned.
When I then submit the received link in a POST request, with a password element, I see a "404" response.
HOWEVER
If I submit that link as a GET request first, and then submit the POST it works.
When I look into the waterlock-local-auth source, the reset POST action is testing for the presence of a decrypted token in the request object before allowing it to proceed.
SO
Either I code my front end to send a get request (which doesn't respond properly) and then resubmit as a POST, or I go in and hack the waterlock-local-auth code to include a decode of the token (which is what I'm thinking is the most elegant solution).
Any clues?
Thanks,
Andy
I have got a similar problem, but I use angularjs as my frontend. This discussion thread is very helpful:
https://github.com/waterlock/waterlock-local-auth/issues/7
Basically, you are expected to submit a GET request to the url received in the password reset email. After you click the link with the token, you will find in your database that a new ResetToken record has been created and the value in the token column is exactly the one you see in the url. Then you should be redirected to the forwardUrl in waterlock.js setting, where there should be a form or anything that can make you post to:
http://yourdomain.com/auth/reset?password=newpassword
Then the password is reset and the ResetToken record will be removed from your database.
If you look at the handlePost function here:
https://github.com/waterlock/waterlock-local-auth/blob/master/lib/controllers/actions/reset.js#L68
This can explain why POSTing to the url sent to you in the reset password email returns 404. The resetToken must exist in session already in order that issuePasswordReset to be invoked. And the only place to set req.session.resetToken is within validateToken method:
https://github.com/waterlock/waterlock-local-auth/blob/master/lib/controllers/actions/reset.js#L188
So you need a get request first. Hope this helps.
Related
I'm working on a scenario when the user never got (or lost) the registration email with the temporary password. Now common sense will drive the user to the "forgot password" process. But here, he'll get an error saying "User password cannot be reset in the current state." What now? I'm trying to find a way to re-send the email with the temporary password FROM the client-side.
I know there's the option of AdminCreateUser with "MessageAction": "RESEND" but that involves the back-end and I would prefer keeping this logic in a component in client-side (where the rest of the authentication logic already is).
I've been trying with the method "resendConfirmationCode" of CognitoUser but I get a "NotAuthorizedException" error with the message "Can't resend confirmation code for this user"
Every other post I've read regarding this very scenario ultimately proposes the AdminCreateUser option without even trying to explain why "resendConfirmationCode" doesn't work.
Even if it can't be done, any help with this issue will be greatly appreciated.
When i use the UserInformationRecoveryService verifyConfirmation Code web service,it should get invalid after it is verified once.We are sending askPassword email after creating a user.User should be able to use that confirmation code only once.
Is there any config need to be modified.??
Currently confirmation codes retrieved at password reset will be only invalidated at successful password reset or at confirmation code expiration. Please follow details here.
As far as I remember, we had a plan to make this configurable, but from the jira I can't find that we have implemented it or not, so most likely we haven't done that yet.
The use case:
User makes order his payment gets accepted and his details are getting post to a django's view. Using these details django's view creates user and everything that is necessary (Username and password is provided by me). Then before returning it sends email to clients email with his data (Username and password for now).
But sometimes I get a gateway timeout error from apache(app is deployed on openshift). Because the user is created I assume that the timeout comes from the email sending part. How can I make sure everything went ok and inform the user? How can I make sure that if the email isn't sent I can resend it? What is the best practice at that?
If you have timeouts with an API or Service, you should fire your POST / sendmail request with AJAX...
Serialize the whole form (like jQuery's serialize())
Send that data via AJAX (with jQuery's ajax())
Inform the User of success or error (alert() or jQuery UI dialog)
You can find a lot of examples on this website.
Another "dirty" approach would be to add the attribute target="_blank" to your form tag what opens your lazy request in a new tab / window.
Please VOTE TO CLOSE instead of downvoting. I can't delete the question now that there are answers for it.
I've been playing with JMeter a few days now and I'm starting to get into the steeper part of the learning curve it seems. I've added a login request (i had to put it in a Loop Controller in the Thread Group). I then have a cookie Manager followed by two requests that are made by the browser (according to fiddler) after logging in. These next two requests require a cookie though and they don't seem to be working right now. I've set the Cookie Manager to "compatibility" for Cookie Policy. Then I look at the view results tree and I see that the two requests after login are failing and in the Request tab I see "[no cookies]".
Rather perplexing. Here's a screenshot.
i've modified my login request a bit:
however the next request still fails with a "not logged in" and "forbidden" message:
Not sure as i don't have full test plan but your login request seems to have failed because you get a redirect from http to https in tree result.
As you can see in tree you have 2 samples inside
Login one with http then one i http.
I suggest if you are a beginer to read this :
http://jmeter.apache.org/usermanual/jmeter_proxy_step_by_step.pdf
It will help you build easily yoyr test plan.
I you don't succeed with proxy then I suggest you remove loop controller and test with only one iteration to see what's happening.
You can click on sampler in tree result and select request tab.
Check that your login request is using https, it's in scheme of http sampler.
If it's a redirect that you cannot anticipate, then disable follow redirect and with a regexp post processor:
http://jmeter.apache.org/usermanual/component_reference.html#Regular_Expression_Extractor
extract the url from the redirect and submit it with login and password in next http sampler.
Regards
I had to learn a little bit more about the requests being made to the system in order for this to work. Instead of a call to www.server.com/login, i made a request to www.server.com/sessions.json and provided a json file with username and password. doint this set the cookie and the cookie manager took over. Then without modifying the other two requests, everything was honky dory.
Based on the images that you have posted, I found the error.
Cookie manager should be under the scope "Test plan". You have created a Cookie manager with the scope HTTP request.
Please leave the HTTP Cookie Manager with the standard settings. It should work.
enter image description here
For more details refer to the below JMeter Documentation
http://jmeter.apache.org/usermanual/component_reference.html#HTTP_Cookie_Manager
Having read a bit, I still don't understand. Can you help me see where I am going wrong?
a view function sends out a request and gets a response
a httprequest contains info about a currently requested url.
httprequest objects have 2 attributes containing info submitted by
user. GET and POST
Use post when requesting sensitive information, use get when not.
Post data is generally submitted from an html Form.
OK then. If I want sensitive information from a user such as their name, dob etc, I put the requested info inside a form on the html side. On the server side I gather that info by using an object
request and its attribute POST. I then point it to the html input name I specifically want. Thus we have request.POST['Name'] this will return a string value which I give to a variable of my choosing. Thus name = request.POST['Name']. name on the server side will now hold the users entered name.
Before I continue, is there anything I have gotten wrong?
You're nearly right.
The distinction between GET and POST, however, isn't anything to do with sensitive information. It's true that GET data is visible in the URL (after the ?) and POST data isn't, but that doesn't make POST any more secure - it's trivial to get that data if you want to.
In fact the difference is really one of semantics. GET is used when you're just requesting particular information from the server - for instance, page 2 of a set, or a specific search query. POST is used when you're updating information - submitting a form to change stored data.
Apart from that, you're just about there. One thing that will probably help you is to read up on Django's forms framework, which does a lot of the work in generation and validation of forms for you.
You got one tiny bit of it wrong.
The user sends out a request, which the view function receives, then the view function sends out a response.
And HTTP objects have a lot more information included than just GET and POST variables. See Django's official documentation for more information about this.