For this overload:
if CreateUser("username#email.com","pwd") , failed with error message :The e-mail address provided is invalid. Please check the value and try again.
but CreateUser("username#email.com","pwd","username#email.com") , succeed!
why?
It may be better to think of the methods like this:
CreateUser(Username, Password);
CreateUser(Username, Password, Email);
Without reflecting the code I couldn't say 100% for sure, but I'll bet those functions just call an internal function that takes in every possible parameter.
So your first call (simplified) is actually:
CreateUser("username#email.com", "pwd", null);
If you have configured your provider to require email address, then clearly null is not valid.
From the MSDN docs:
The SqlMembershipProvider provides an option to require a unique
e-mail address for each user. If the RequiresUniqueEmail property is
true, you will need to use one of the CreateUser overloads that allows
you to specify an e-mail address for the user being created.
Otherwise, a MembershipCreateUserException will be thrown.
Related
I am using the following command to get the username in a custom magnolia class:String userName = MgnlContext.getInstance().getJCRSession("website").getUserID();
Instead of getting the name of the user who is signed on in magnolia when the command was triggered I am getting admin for the value. How can I get the real user name - the one who signed on to magnolia?
Actually to get current user, what you want is to either inject MgnlContext or get it via MgnlContext.getInstance() call.
Once you have context, you call ctx.getUser().getName() to get current user name.
You can inject info.magnolia.cms.security.SecuritySupport to your class and use
info.magnolia.cms.security.SecuritySupport#getUserManager()
afterwards, you are exposed to plenty of utility method that one can fetch all users or users by group etc.
I'm using Meteor 1.8.1 and have found what seems like inconsistent and undocumented behaviour in the errors returned by Accounts.changePassword.
The docs say that a Meteor error object will include a 'reason' parameter.
But if the attempt to change password fails because the user is not logged in, the error object does not contain 'reason' or 'error', only 'message', which I cannot find in the documentation.
'message' appears to be always returned, despite being undocumented, but is inconsistent in that it includes the error code 403 in the case of incorrect password but not in the case where the user is not logged in.
Accounts.changePassword(oldPassword, newPassword, (error) => {
console.log('error.message', error.message);
// not logged in provides message
console.log('error.reason', error.reason);
// incorrect password provides reason and message
if (error) {
const text = error.reason || error.message;
console.log('error', text);
}
// success
});
So my questions are:
have I missed something? Or is the behaviour really inconsistent and undocumented?
is there an easy way to get a consistent error message in both cases?
are there any other 'gotchas' I should test for where Meteor returns an error in a different format again?
Many thanks for any enlightenment.
according to documentation, changePassword method runs only on the client, so you could always check if the user is logged in before attempting to change the password
if (!Meteor.user()) {
return reportError(new Error("Must be logged in to change password."), callback);
}
According to the docs the description of Accounts.changePassword is:
Change the current user's password. Must be logged in.
Therefore, when you try to call this when no user is logged in, it is reasonable for the response to be undefined or inconsistent. Yes, the docs for a Meteor.Error object specify a reason property, but Meteor.Errors are only thrown when a method wants to return a descriptive error, not when a method is called illegally.
Your user interface code should ensure that a change password form is never shown unless a user is logged in. If your change password form is only ever shown to logged in users, then you don't need to worry about catching these undefined errors.
Using Meteor, the Meteor.loginWithPassword function calls the server, which then returns a User not found error when the user does not exist, or a Match failed when the password does not match the user's password.
Is there an easy way for the server to return the same error (or no error) during both conditions of a failed login?
I don't want hackers to know when they found a valid username or UserID on my system. I don't want the server to say User not found, telling potential hackers when they have (or have not) found a valid user. It would be great if there's an easy way to change the error message the server returns from the accounts-password Meteor module, to harden the security a little bit. I'd like the server's error result to be something generic, like failed or undefined or null, regardless of the reason of the login error.
I know I can probably fork/re-purpose the accounts-password module, but hoping there's something simpler.
Thanks!
Yes, you can place the function somewhere in the /server-folder and change the error message. Like this:
Accounts.validateLoginAttempt(function(options) {
if (!options.allowed) { //that is, if there's an error
throw new Meteor.Error('login-error', 'Error!');
}
//...other code for other purposes below
});
/server/accounts.js
I'm trying to create an extranet user within sitecore but i'm having issues. I'm using the command Membership.CreateUser(username, password, email)
Nothing seems to happen though. No user is created in the extranet aspnetdb. No exceptions are thrown.
I also tried putting the domain as part of the user name: domain\username...and I get the error "You must specify a non-autogenerated machine key to store passwords in encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key.". My passwordFormat is Encrypted.
Any ideas what i'm doing wrong?
Thanks in advance.
Did you try what the error message suggested? I would try setting your own Machine Key. More about that here. As always, do this in a test/dev environment.
You can use below code -
uname = string.Format(#"{0}{1}", domain, userName);
Membership.CreateUser(uname, password, email);
I'd like to e-mail all my users a link to a symfony site that I am writing, and have it so that when they follow that link they are logged in to the site (probably with a special role, like IS_AUTHENTICATED_REMEMBERED), and redirected to a certain page. How can I do this?
So the link would be something like:
http://example.com/?key=[some sort secret key with their account encoded in it]
i'd do something like this: generate the key with a hash function over the username.
Then send them a link to http://example.com/?user=username&hash=the-hash-result.
In the action that will recieve this url you can get the request parameter username and hash, apply the same hash funcion to the username you recived and compare the result to the hash key in the request parameters.
If match, just set the appropiate credentials to the user and log him in
Lets see some code, in your authentication class you should have a function to authenticate a user with the $user and $password parameters. Here or extending this class you can define a funciton like this:
function authenticate($user,$hash-key){
if(hashFunction($user) == $hash-key){
$user->setAuthFunction(true);//sort of
}
}
Hope it helped you!
Not so easy to implement I can tell you but you got to take a look to the UsernamePasswordFormAuthenticationListener::attemptAuthentication method...
Make your own service to atteptAuthentication automaticaly.
Inspired by this message and this code, I wrote a controller that gets the user from the database, verifies the secret key, then fakes a login token as follows:
$providerKey = 'secured_area'; // Name of firewall from security.yml - not sure this is correct.
$token = new UsernamePasswordToken($user, null, $providerKey, array('AUTO_LOGIN'));
$this->container->get('security.context')->setToken($token);
(you need this at the top of your file)
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
It seems to work, and the user has a role of AUTO_LOGIN so I can easily restrict them from accessing more sensitive stuff until they have logged in with a username and password as normal.