Geek Answers Handbook

Embed password to change using Loopback

I am trying to implement a password change function using the built-in Loopback method, it works fine, but it does not update the password with hash , but just saves plain text in db. I am using the loopback-component-passport npm package in this project. I searched a lot of sites, but I can’t find the right way to implement this feature. Does anyone know how to do this?

 //Change user pasword app.post('/change-password', function(req, res, next) { var User = app.models.user; if (!req.accessToken) return res.sendStatus(401); //verify passwords match if (!req.body.password || !req.body.confirmation || req.body.password !== req.body.confirmation) { return res.sendStatus(400, new Error('Passwords do not match')); } User.findById(req.accessToken.userId, function(err, user) { if (err) return res.sendStatus(404); user.hasPassword(req.body.oldPassword, function(err, isMatch) { if (!isMatch) { return res.sendStatus(401); } else { user.updateAttribute('password', req.body.password, function(err, user) { if (err) return res.sendStatus(404); console.log('> password change request processed successfully'); res.status(200).json({msg: 'password change request processed successfully'}); }); } }); }); });
+7
javascript loopbackjs strongloop
source share
3 answers

Use the built-in User.hashPassword that appears in the source code

 //Hash the plain password user.updateAttribute('password', User.hashPassword(req.body.password), function(err, user) { ... });
+7
source share

This is actually a bug that was introduced with loopback-datasource-juggler 2.45.0. By default, the password must be hashed.

https://github.com/strongloop/loopback-datasource-juggler/issues/844

https://github.com/strongloop/loopback/issues/2029

So be careful if you use user.hashpassword, it may not work in a future version if this is fixed, as it may hash the already hashed pw if it is not done correctly, but there should already be a length check and a check for $ 2 $ or any another start bit for hash values.

Edit : Install 2.45.1 from loopback-datasource-juggler and it should be fixed.

+4
source share

Here is my “complete” solution for implementing a specific method of remote remote data transfer in the LoopBack / StrongLoop - IBM project. Ensure that the loopback-datasource-juggler has a higher or equal version than 2.45.1 ( npm list loopback-datasource-juggler ). My user model is called MyUserModel and inherits from the built-in User model:

"my user is model.js"

 module.exports = function (MyUserModel) { ... MyUserModel.updatePassword = function (ctx, emailVerify, oldPassword, newPassword, cb) { var newErrMsg, newErr; try { this.findOne({where: {id: ctx.req.accessToken.userId, email: emailVerify}}, function (err, user) { if (err) { cb(err); } else if (!user) { newErrMsg = "No match between provided current logged user and email"; newErr = new Error(newErrMsg); newErr.statusCode = 401; newErr.code = 'LOGIN_FAILED_EMAIL'; cb(newErr); } else { user.hasPassword(oldPassword, function (err, isMatch) { if (isMatch) { // TODO ...further verifications should be done here (eg non-empty new password, complex enough password etc.)... user.updateAttributes({'password': newPassword}, function (err, instance) { if (err) { cb(err); } else { cb(null, true); } }); } else { newErrMsg = 'User specified wrong current password !'; newErr = new Error(newErrMsg); newErr.statusCode = 401; newErr.code = 'LOGIN_FAILED_PWD'; return cb(newErr); } }); } }); } catch (err) { logger.error(err); cb(err); } }; MyUserModel.remoteMethod( 'updatePassword', { description: "Allows a logged user to change his/her password.", http: {verb: 'put'}, accepts: [ {arg: 'ctx', type: 'object', http: {source: 'context'}}, {arg: 'emailVerify', type: 'string', required: true, description: "The user email, just for verification"}, {arg: 'oldPassword', type: 'string', required: true, description: "The user old password"}, {arg: 'newPassword', type: 'string', required: true, description: "The user NEW password"} ], returns: {arg: 'passwordChange', type: 'boolean'} } ); ... };

"my user model.json"

 { "name": "MyUserModel", "base": "User", ... "acls": [ ... { "comment":"allow authenticated users to change their password", "accessType": "EXECUTE", "property":"updatePassword", "principalType": "ROLE", "principalId": "$authenticated", "permission": "ALLOW" } ... ], ... }

Note. The same functionality can be performed using the PUT request on MyUserModel and simply specify {body]: "... newpassword ..."} in the body. But it is probably more convenient to have a specific remote method than this trick to enforce the security policy of the new password.

+1
source share

More articles:


All Articles