Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question: How to use sendResetPwd when find is authenticated in users service #66

Closed
rhythnic opened this issue Aug 14, 2017 · 4 comments

Comments

@rhythnic
Copy link

When using feathers generate authentication via the feathers-cli, there is a before hook added to find on the users service: authenticate('jwt'). In this repo, the code for sendResetPwd calls the find method on the users service. Since the user won't be authenticated when the front-end client calls the sendResetPwd action, what is the best way to get around this without removing authentication on users.find?

@eddyystop
Copy link
Collaborator

I expect this repo calls uses.find() as the server, that is with context.params.provider === undefined. So you can change the auth hook to iff(context => context.params.provider, /* auth hook */ ).

Could you create a issue for feathers generate should the above work? The generator should be changed.

@rhythnic
Copy link
Author

I generated a very basic app to simplify things and to have a point of reference.

https://github.com/rhythnic/feathers-nopwd

The previous app used Mongoose and app linked to here uses NeDb. The good news is that users.find is not an issue in this new configuration.

I encountered a different problem caused by the auth management action handlers returning the user object as the default. This makes it possible to get the user object without authenticating. For example, authManagement.create('sendResetPwd', { email }) returns the user object as the response. The sanitizeUserForClient config option can be used to prevent this, but it's currently undocumented. It seems like the default should be to not return the user. Also, it would be helpful if the sanitizeUserForClient function received the id of the action, for instance sendResetPwd.

@eddyystop How do you want to proceed with the latter issue? Do you want to create a separate issue? I'd be happy to do a PR. My inclination would be to not return the user unless there's a sanitizeUserForClient funtion, and to pass the action id to that function. I wonder though if this would be a breaking change that requires us to increment the major version for this package.

@rhythnic
Copy link
Author

I determined that the original issue, users.find, was caused by my client configuration.

import feathers from 'feathers/client';
import auth from 'feathers-authentication-client';
import authManagementService from 'feathers-authentication-management';
import hooks from 'feathers-hooks';
import socketio from 'feathers-socketio/client';
import feathersStorage from '~utils/feathers-storage';
import io from 'socket.io-client';

const socket = io('http://localhost:3030');
const app = feathers()
  .configure(socketio(socket))
  .configure(hooks())
  .configure(auth({ storage: feathersStorage }))
  .configure(authManagementService())

export default app;

export const authManagement = app.service('authManagement');

I don't have time right now to determine why, but when I remove authManagement from the client-side configuration, I no longer get the auth problem on users.find.

import feathers from 'feathers/client';
import auth from 'feathers-authentication-client';
import hooks from 'feathers-hooks';
import socketio from 'feathers-socketio/client';
import feathersStorage from '~utils/feathers-storage';
import io from 'socket.io-client';

const socket = io('http://localhost:3030');
const app = feathers()
  .configure(socketio(socket))
  .configure(hooks())
  .configure(auth({ storage: feathersStorage }))

export default app;

export const authManagement = app.service('authManagement');

@eddyystop
Copy link
Collaborator

eddyystop commented Aug 24, 2017

The repo is intended to be run on the server.

Feel free to reopen this issue for any reason.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants