回送updateAttributes设置密码会删除令牌吗? [英] Loopback updateAttributes setting password deletes token?
问题描述
我在方法内部有一个名为'changePassword'的端点方法,该方法带有http路径'/:id/changePassword',我通过id查找帐户并更新了模型的密码属性,但是问题是密码确实发生了更改并得到更新,但访问令牌无缘无故被删除.
I got an endpoint method named 'changePassword' with http path '/:id/changePassword' inside the method i find the account by id and update the password attribute of the model but the problem is that the password do change and gets updated but also the access token gets deleted for no reason.
当前代码
instance.hasPassword(data.oldPassword, function(err, isMatch) {
if (isMatch) {
instance.updateAttributes({'password': data.password}, function(errUpdateAccount, updatedAccount) {
if (!errUpdateAccount) {
return cb(null, {
status: 200
});
} else {
return cb(errUpdateAccount);
}
});
}
});
推荐答案
是的,这是新行为.如果更改了整个用户对象(User.update和Friends)或仅更改了密码,则所有用户访问令牌都将失效.
Yes, this is the new behavior. If the whole user object is changed(User.update and friends), or just the password, all the user access tokens are invalidated.
出于安全原因,注销用户很重要.考虑一下情况 当某人入侵您在注册时使用的电子邮件时, 支持LoopBack的应用程序.找到这个之后,您登录到该应用程序并 将电子邮件更改为另一封未被黑客入侵的电子邮件.没有 会话(访问令牌)无效,攻击者将保持登录状态 进入您的帐户,您将无法注销它们.
Logging out users is important for security reasons. Consider the case when somebody hacks your email that you used when registering with a LoopBack-powered app. After you find this, you log into the app and change the email to a different one that wasn't hacked. Without session (access token) invalidation, the attacker would remain logged into your account and you would have no way how to log them out.
话虽如此,我同意这会使用户体验减少 最佳的.我提议让最终用户决定他们是否 是否要注销其他会话,请参见#3071
Having said that, I agree that this makes the user experience less optimal. I am proposing to allow the end user to decide whether they want to log out other sessions or not, see #3071
现在,这只是一个未解决的问题(#3071 ),没有拉取请求.没有干净的解决方法.
Right now there's just an open issue for this(#3071) with no pull request. There's no clean workaround for this.
如果您真的很想找到解决方案,则可以进行猴子补丁回送:
If you are really desperate to have a solution, then you can monkey-patch loopback:
我看了一下代码,发现找不到使用此功能在项目中的其他任何地方,我想您都可以做一个冒险的举动来覆盖它,使其无所事事:
I had a look at the code, and found this part is responsible for it, which calls the User._invalidateAccessTokensOfUsers. Since I haven't found that any where else in the project using this function, I guess what you can do a risky move to override it to do nothing:
app.models.User._invalidateAccessTokensOfUsers = (ids, cb) => process.nextTicke(cb);
这是我可以解决此问题的最佳方法,直到他们解决此错误为止( #3071 ).请注意,您应确保您的代码和依赖项也不要使用_invalidateAccessTokensOfUsers,并且环回也不会在其他地方开始使用它.对其进行很好的评论,不要忘记将其删除并非常小心.
This is the best way I can think of to fix the problem until they resolve this bug(#3071). Note that you should make sure your code and your dependencies also don't use _invalidateAccessTokensOfUsers and also loopback doesn't start using it in other places. Comment it well and don't forget to remove it and be very careful.
这篇关于回送updateAttributes设置密码会删除令牌吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
