使用 Loopback 实现更改密码
Implement change password with Loopback
我正在尝试使用 Loopback 的内置方法实现更改密码功能,它工作正常,但它不会使用 hash 更新密码,而只是在数据库中保存纯文本。我在这个项目中使用 loopback-component-passport npm 包。我搜索了很多网站,但找不到实现此功能的正确方法。有谁知道如何做到这一点?
//Change user's pasword
app.post('/change-password', function(req, res, next) {
var User = app.models.user;
if (!req.accessToken) return res.sendStatus(401);
//verify passwords match
if (!req.body.password || !req.body.confirmation ||
req.body.password !== req.body.confirmation) {
return res.sendStatus(400, new Error('Passwords do not match'));
}
User.findById(req.accessToken.userId, function(err, user) {
if (err) return res.sendStatus(404);
user.hasPassword(req.body.oldPassword, function(err, isMatch) {
if (!isMatch) {
return res.sendStatus(401);
} else {
user.updateAttribute('password', req.body.password, function(err, user) {
if (err) return res.sendStatus(404);
console.log('> password change request processed successfully');
res.status(200).json({msg: 'password change request processed successfully'});
});
}
});
});
});
使用在源代码中看到的内置User.hashPassword
//Hash the plain password
user.updateAttribute('password', User.hashPassword(req.body.password), function(err, user) {
...
});
这实际上是 loopback-datasource-juggler 2.45.0 引入的错误。默认情况下密码应该被散列。
https://github.com/strongloop/loopback-datasource-juggler/issues/844
https://github.com/strongloop/loopback/issues/2029
所以当心如果你使用 user.hashpassword 它可能在未来的版本中无法工作,因为如果没有正确完成它可能会散列一个已经散列的密码,但是应该已经检查了长度加上检查 $2$ 或哈希值的起始位。
编辑:安装 loopback-datasource-juggler 2.45.1,它应该已修复。
这是我的 "full" 解决方案,用于在 LoopBack / StrongLoop - IBM 项目中实现特定的 updatePassword 远程方法。
请确认 loopback-datasource-juggler 包的版本高于或等于 2.45.1 (npm list loopback-datasource-juggler)。
我的用户模型称为 MyUserModel 并继承自内置模型 User:
"my-user-model.js"
module.exports = function (MyUserModel) {
...
MyUserModel.updatePassword = function (ctx, emailVerify, oldPassword, newPassword, cb) {
var newErrMsg, newErr;
try {
this.findOne({where: {id: ctx.req.accessToken.userId, email: emailVerify}}, function (err, user) {
if (err) {
cb(err);
} else if (!user) {
newErrMsg = "No match between provided current logged user and email";
newErr = new Error(newErrMsg);
newErr.statusCode = 401;
newErr.code = 'LOGIN_FAILED_EMAIL';
cb(newErr);
} else {
user.hasPassword(oldPassword, function (err, isMatch) {
if (isMatch) {
// TODO ...further verifications should be done here (e.g. non-empty new password, complex enough password etc.)...
user.updateAttributes({'password': newPassword}, function (err, instance) {
if (err) {
cb(err);
} else {
cb(null, true);
}
});
} else {
newErrMsg = 'User specified wrong current password !';
newErr = new Error(newErrMsg);
newErr.statusCode = 401;
newErr.code = 'LOGIN_FAILED_PWD';
return cb(newErr);
}
});
}
});
} catch (err) {
logger.error(err);
cb(err);
}
};
MyUserModel.remoteMethod(
'updatePassword',
{
description: "Allows a logged user to change his/her password.",
http: {verb: 'put'},
accepts: [
{arg: 'ctx', type: 'object', http: {source: 'context'}},
{arg: 'emailVerify', type: 'string', required: true, description: "The user email, just for verification"},
{arg: 'oldPassword', type: 'string', required: true, description: "The user old password"},
{arg: 'newPassword', type: 'string', required: true, description: "The user NEW password"}
],
returns: {arg: 'passwordChange', type: 'boolean'}
}
);
...
};
"my-user-model.json"
{
"name": "MyUserModel",
"base": "User",
...
"acls": [
...
{
"comment":"allow authenticated users to change their password",
"accessType": "EXECUTE",
"property":"updatePassword",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW"
}
...
],
...
}
NB: The same functionality can be performed using a PUT request on MyUserModel and just specifying { "password":"...newpassword..."} in the body. But it probably is more convenient to have a specific remote method than this trick in order to enforce security policy on the new password.
我正在尝试使用 Loopback 的内置方法实现更改密码功能,它工作正常,但它不会使用 hash 更新密码,而只是在数据库中保存纯文本。我在这个项目中使用 loopback-component-passport npm 包。我搜索了很多网站,但找不到实现此功能的正确方法。有谁知道如何做到这一点?
//Change user's pasword
app.post('/change-password', function(req, res, next) {
var User = app.models.user;
if (!req.accessToken) return res.sendStatus(401);
//verify passwords match
if (!req.body.password || !req.body.confirmation ||
req.body.password !== req.body.confirmation) {
return res.sendStatus(400, new Error('Passwords do not match'));
}
User.findById(req.accessToken.userId, function(err, user) {
if (err) return res.sendStatus(404);
user.hasPassword(req.body.oldPassword, function(err, isMatch) {
if (!isMatch) {
return res.sendStatus(401);
} else {
user.updateAttribute('password', req.body.password, function(err, user) {
if (err) return res.sendStatus(404);
console.log('> password change request processed successfully');
res.status(200).json({msg: 'password change request processed successfully'});
});
}
});
});
});
使用在源代码中看到的内置User.hashPassword
//Hash the plain password
user.updateAttribute('password', User.hashPassword(req.body.password), function(err, user) {
...
});
这实际上是 loopback-datasource-juggler 2.45.0 引入的错误。默认情况下密码应该被散列。
https://github.com/strongloop/loopback-datasource-juggler/issues/844
https://github.com/strongloop/loopback/issues/2029
所以当心如果你使用 user.hashpassword 它可能在未来的版本中无法工作,因为如果没有正确完成它可能会散列一个已经散列的密码,但是应该已经检查了长度加上检查 $2$ 或哈希值的起始位。
编辑:安装 loopback-datasource-juggler 2.45.1,它应该已修复。
这是我的 "full" 解决方案,用于在 LoopBack / StrongLoop - IBM 项目中实现特定的 updatePassword 远程方法。
请确认 loopback-datasource-juggler 包的版本高于或等于 2.45.1 (npm list loopback-datasource-juggler)。
我的用户模型称为 MyUserModel 并继承自内置模型 User:
"my-user-model.js"
module.exports = function (MyUserModel) {
...
MyUserModel.updatePassword = function (ctx, emailVerify, oldPassword, newPassword, cb) {
var newErrMsg, newErr;
try {
this.findOne({where: {id: ctx.req.accessToken.userId, email: emailVerify}}, function (err, user) {
if (err) {
cb(err);
} else if (!user) {
newErrMsg = "No match between provided current logged user and email";
newErr = new Error(newErrMsg);
newErr.statusCode = 401;
newErr.code = 'LOGIN_FAILED_EMAIL';
cb(newErr);
} else {
user.hasPassword(oldPassword, function (err, isMatch) {
if (isMatch) {
// TODO ...further verifications should be done here (e.g. non-empty new password, complex enough password etc.)...
user.updateAttributes({'password': newPassword}, function (err, instance) {
if (err) {
cb(err);
} else {
cb(null, true);
}
});
} else {
newErrMsg = 'User specified wrong current password !';
newErr = new Error(newErrMsg);
newErr.statusCode = 401;
newErr.code = 'LOGIN_FAILED_PWD';
return cb(newErr);
}
});
}
});
} catch (err) {
logger.error(err);
cb(err);
}
};
MyUserModel.remoteMethod(
'updatePassword',
{
description: "Allows a logged user to change his/her password.",
http: {verb: 'put'},
accepts: [
{arg: 'ctx', type: 'object', http: {source: 'context'}},
{arg: 'emailVerify', type: 'string', required: true, description: "The user email, just for verification"},
{arg: 'oldPassword', type: 'string', required: true, description: "The user old password"},
{arg: 'newPassword', type: 'string', required: true, description: "The user NEW password"}
],
returns: {arg: 'passwordChange', type: 'boolean'}
}
);
...
};
"my-user-model.json"
{
"name": "MyUserModel",
"base": "User",
...
"acls": [
...
{
"comment":"allow authenticated users to change their password",
"accessType": "EXECUTE",
"property":"updatePassword",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW"
}
...
],
...
}
NB: The same functionality can be performed using a PUT request on MyUserModel and just specifying { "password":"...newpassword..."} in the body. But it probably is more convenient to have a specific remote method than this trick in order to enforce security policy on the new password.