使用访问令牌重置环回密码 [英] Reset Loopback Password with Access Token
问题描述
我正在开发一个使用Loopback作为框架的项目,并包括用户和身份验证。我添加了一个密码重置路由生成并通过电子邮件发送,一切似乎都正常工作。最近,我发现密码重置似乎不起作用。此处重置密码的过程为:
I'm working on a project that uses Loopback as a framework, and includes users and authentication. I added a password reset route generated and sent in an email, and everything seemed to be working correctly. Recently, I discovered that the password reset does not appear to be working. The process for resetting the password here is:
- 为用户调用密码重置方法
- 发送电子邮件来自重置事件,包括用户ID和访问令牌
- 从重置链接,将$ http.defaults.headers.common.authorization设置为传递的令牌
- 调用user.prototype $ updateAttributes(由lb-ng生成)以根据表单更新密码属性
- Call password reset method for user
- Send email from reset event, including user ID and access token
- From reset link, set $http.defaults.headers.common.authorization to the passed token
- Call user.prototype$updateAttributes (generated by lb-ng) to update password attribute based on a form
预期的行为是密码将在密码重置表单上更新。相反,我得到一个授权错误,如401或500(似乎来回)。我注意到在发送给API的实际标头中,授权令牌与我从路由传递的内容不匹配。尝试使用LoopBackAUth.setUser设置它不起作用,也没有在实际发送请求之前不更新授权属性。
The expected behavior is that the password would be updated on the password reset form. Instead, I get an authorization error as either a 401 or a 500 (seems to go back and forth). I notice that in the actual headers sent to the API, the authorization token does not match what I'm passing from the route. Trying to set it using LoopBackAUth.setUser doesn't work, and neither doesn't updating the authorization property before actually sending the request.
我肯定花时间测试这个它是第一次添加,我无法弄清楚会有什么改变来打破这个。我一直在关注loopback-faq-user-management中的示例,但在该示例中我们有一个Angular前端而不是服务器端视图。
I definitely spent time testing this when it was first added, and I can't figure out what would have changed to break this. I've been following the example from loopback-faq-user-management, but we have an Angular front-end instead of the server side views in that example.
编辑:
我尝试完全打开ACL,看看我是否可以更新用户对象的密码(或任何属性)(继承来自用户,但它是自己的类型)。尝试这样做时,我仍然得到401.
I tried opening up the ACLs completely to see if I could update the password (or any properties) of my user object (which inherits from User, but is its own type). I'm still getting a 401 when trying to do this.
编辑#2:
以下是我的ACL以及我如何调用它的示例代码。
Here are my ACLs and sample code for how I'm calling this.
来自模型定义的ACL
ACLs from model definition
...
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW"
},
{
"accessType": "EXECUTE",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "updateAttributes"
}
...
auth.js
...
resetPassword: function(user) {
return MyUser.prototype$updateAttributes(user, user).$promise;
}
...
推荐答案
找出问题所在。在我们的应用程序服务器中,我们没有使用Loopback的令牌中间件。在启动服务器之前添加 app.use(loopback.token()); 会导致重置链接中提供的访问令牌按预期工作!
Figured out what the issue was. In our app's server, we were not using Loopback's token middleware. Adding app.use(loopback.token()); before starting the server causes the access token provided in the reset link to work as expected!
这篇关于使用访问令牌重置环回密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
