Check usernameOnly parameter in passwordMatches #609
Conversation
|
By analyzing the blame information on this pull request, we identified @JeremyPlease, @dvanwinkle and @johnnydimas to be potential reviewers. |
|
Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please sign up at https://code.facebook.com/cla - and if you have received this in error or have any questions, please drop us a line at [email protected]. Thanks! If you are contributing on behalf of someone else (eg your employer): the individual CLA is not sufficient - use https://developers.facebook.com/opensource/cla?type=company instead. Contact [email protected] if you have any questions. |
|
Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks! |
|
Hi, I just encountered this bug and got to the same conclusion, the passwordMatches check should not be done if usernameOnly is true The solution in this pull request fixes the bug, but it actually forces to check if userToTest.pass is equal to user.pass which is still wrong since userToTest.pass is undefined. I would replace that line with: |
|
Yeah either way is fine, I was just going for less is more. The statement user.pass == undefined evaluates to a boolean value, not undefined. If usernameOnly is true, then it doesn't matter whether passwordMatches is true or false since the (usernameOnly || passwordMatches) statement on the following line will always hold true. |
|
You are right, both have the same result, I just thought my solution is easier to understand :D |
There was a problem hiding this comment.
@lsohn Thanks for catching and fixing this!
That code could definitely use some cleanup 😶
Could you please add a test for this case to src/lib/tests/Authentication.test.js? Should be something like the the test for authenticates valid user with valid username and usernameOnly except with useEncryptedPasswords.
…nameOnly and encrypted passwords'
|
@lsohn updated the pull request - view changes |
|
@JeremyPlease, feel free to merge! |
|
@flovilmart I don't have merge access on this repo 😞 |
|
And you can review :/ whatever GitHub :) |
When authenticating to dashboard using encrypted passwords, bcrypt throws an error in the authenticate function that userToTest.pass is undefined. This happens when the userToTest object does not contain a password, which happens every time deserializeUser is called. The solution is to check the usernameOnly flag when initializing passwordMatches to avoid passing an undefined value to bcrypt.