Not sure if this is a security feature, an oversight, or me missing the ocean for the waves, but wondering why there is no value attribute for the password field constructor
This is not an issue for user signup and other form creation events, but becomes a headache when, for example, a user renewal form does not have the password field filled in (and thus fails validation, which is ironic given that they just logged in in order to be able to renew in the first place ;-))
My workaround has been to set the value attrib manually by supplying it as an extra argument:
#inputPassword(
_form("password"), '_label-> "Password*", 'class-> "required",
'value-> _form("password").value map{Some(_)} getOrElse Some("")
)
would prefer the value attribute included by default, however, as with other input elements. Yes, I can override it, but wondering what the dealy-O is regardless
To me, you shouldn't be able to retrieve the user password in any way, since the password should be encrypted before storing it somewhere.
Related
How to perform slot validation in an intent using backend code (webhook).
I have seen how to perform slot filling using the webhooks but I want to know how to validate the slot data and re-prompt the user if validation fails.
Example:
User: I want to know the your services in London.
Bot: We do not provide service in London, please enter some other city name.
In short: If validation fails, reset the dialog contexts, trigger your intent again, and optionally use default values to keep other parameters that were actually valid (so you don't need to re-prompt the user for those again).
You don't need to declare an incoming context on that intent to achieve this. Note that you can use contexts in intents, even though they are not declared as incoming/outgoing contexts on that intent.
In this example, I'm requesting 2 parameters from the user (car make and model). Of course, Enable webhook call for slot filling needs to be set in your intent.
Steps:
On Dialogflow, in the intent, declare an Event. This can be used to trigger this intent from your fulfillment code:
In your parameters, declare a Default Value for each parameter you want to be able to keep after resetting the intent:
Set the Default Value to a parameter in a helper context. If this helper context does exist, the default value will be set, otherwise, it'll be kept empty. This will allow you to reset the intent and keep other parameters you already had. In this example, I'm using the context show-car-details-data, and setting the default value of parameter model to _model in that incoming context:
In your slot-filling fulfillment method, you can validate your parameter and re-prompt the user by reseting the intent. To do that, you need to 1) clear the current dialog contexts, 2) call setFollowupEvent to trigger your intent again, and 3) optionally set up some helper context you can use to assign default values (so you don't need to re-prompt user for those that were valid).
I'm using Dialogflow Fulfillment Node.js Library:
// clear dialog contexts:
agent.contexts.forEach( e => {
if ( e.name.endsWith('_id_dialog_context') ) agent.context.delete(e.name);
});
// workaround bug: https://github.com/dialogflow/dialogflow-fulfillment-nodejs/issues/160
agent.add('');
// set follow up event: this triggers your intent again
agent.setFollowupEvent('show-car-details');
// optionally set helper context to set default values and avoid re-prompt of already valid values
// in this example, keep make since it was a valid parameter
// clear model because it was invalid. User will be prompted again on model, but not on make
agent.context.set('show-car-details-data', 1, { '_make': make, '_model': '' });
Steps
Enable webhook for slot filing in Dialog flow with Entity set as "Required".
Get entity from arguments.
Programmatically check if it is not null and as per your requirement.
If it is correct, proceed further.
Else, RESET THE CONTEXT and ask the question as per the wrong slot input. Programmatically, set the output context same as input so that user can again respond back slot/entity. If the correct context is not present, the slot will not get captured. When a slot is captured as per set Entity, the context for that slot captured is finished and to recapture it you need to increase the lifespan or create it again.
So any one who has used perl dancer knows that to authenticate a user on login you can call authenticate_user
authenticate_user(
params->{username}, params->{password}
);
This is part of the Auth::Extensible plugin.
To me it looks like it encourages the use of storing passwords in plain text! Sure you can hash the password first then make sure the stored password is the same hash but this seems to be more of a work around and i found isn't guaranteed to work. I have only got this to work using sha1 which shouldn't be used. I want to use Bcrypt but the passphrase simply wont match. Possibly odd characters not matching i'm not sure.
The thing is using the dancer Passphrase plugin i can already validate the username and password without even needing to rely on authenticate_user to verify them. But for the dancer framework to consider the user logged in you still have to call authenticate_user which must be passed the password.
I'm completely stuck. I'm curious how other people have managed to use proper password management in dancer2?
Firstly, I'll echo the "you almost certainly don't need to be using authenticate_user()" comments. The plugin can handle all that for you.
However, "it doesn't hash it" is wrong; here's how it works. The
authenticate_user keyword loops through all auth realms configured, and for
each one, asks that provider's authenticate_user() method to see if it accepts
the username and password. The Database provider (and the others) fetch the
record from the DB, and use $self->match_password() (which comes from the
Provider role) to validate it; that code checks if the stored password from
the database starts with {scheme} and if so, uses
Crypt::SaltedHash->validate to validate that the user-supplied password (in
plain text, as it's just come in over the wire) matches the stored, hashed
passsword ($correct in the code below is the stored password):
if ( $correct =~ /^{.+}/ ) {
# Looks like a crypted password starting with the scheme, so try to
# validate it with Crypt::SaltedHash:
return Crypt::SaltedHash->validate( $correct, $given );
}
So, yes, if your stored password in the database is hashed, then it will match
it if the password supplied matches that hash.
For an example of what a stored hashed password should look like, here's
the output of the bundled generate-crypted-password utility:
[davidp#supernova:~]$ generate-crypted-password
Enter plain-text password ?> hunter2
Result: {SSHA}z9llSLkkAXENw8FerEchzRxABeuJ6OPs
See the Crypt::SaltedHash doco for details on which algorhythms are
supported by it, and the format it uses (which "comes from RFC-3112 and
is extended by the use of different digital algorithms").
Do bear in mind that the code behind authenticate_user is exactly what's used
under the hood for you.
For an example of just letting the plugin do the work for you, consider:
get '/secret' => require_login sub {
my $user = logged_in_user();
return "Hi, $user->{username}, let me tell you a secret";
};
... that's it. The require_login means that the plugin will check
if the user is logged in, and if not, redirect them to the login page
to log in. You don't need to call authenticate_user yourself, you
don't need to set any session variables or anything. logged_in_user()
will return a hashref of information about the logged in user (and because
the route code has require_login, there's guaranteed to be one at this
point, so you don't need to check).
If you need to check they have a suitable role, instead of just that they
are logged in, then look at require_role in the documentation instead.
In the documentation for Dancer2::Plugin::Auth::Extensible, the description for authenticate_user() says:
Usually you'll want to let the built-in login handling code deal with authenticating users, but in case you need to do it yourself, this keyword accepts a username and password ...
Which strongly implies to me that you shouldn't be calling this function at all unless you're doing something particularly clever.
I haven't used this module myself, but it seems to me that all the hashing and encryption stuff should be handled by one of the authentication providers and if there's not one that covers the case you use, then you can write one yourself.
Whenever I need to store secure passwords for a Dancer app, I reach for Dancer2::Plugin::Passphrase. I wonder if I should consider writing an Auth::Extensible style authentication provider for it.
I have my UsersController with my edit.ctp view. When I browse /users/edit/1, I see password field filled with ***** (filled with hash in entity User.php, using DefaultPasswordHasher). My UsersTable.php has password has required.
So, I can try:
unset($user->password); // in edit() from UsersController.php
and setting [require => false] in edit.ctp
When I save, I get
The user could not be saved. Please, try again.
Because in my UsersTable.php I have:
$validator
->requirePresence('password', 'create')
->notEmpty('password');
If I try to leave blank from controller I get error, if I try to fill with actual password, it hashes again.
How could I edit any user without change his password? Can I set this from model or I need to make password as not required?
I don't need show the real password to admins
I validate from controller for password_confirm (already works)
In add.ctp there is no problem because default value is always blank
I want to change password only if password field is filled
I suppose password needs to be required in Model because all users need their passwords, that's why I'm trying to keep it far from validation in controller
Validation says "on create" but even in update is needed, bug possible?
My cake version is 3.4.4
Thanks in advance
Couple of things:
Firstly, if you haven't already, you may want to mark the password field as hidden to prevent it from exposing the hash in toArray calls or JSON views.
Secondly, any data field provided to patchEntity will be validated and saved (as you've discovered), even if the value for the field is blank.
If you look at the entity with debug($user) you'll notice it tracks which fields are "dirty", and since patchEntity saw you submitted a password field (even if it was blank), it set the User entity's password to blank and marked it as "dirty". Even if you later call unset($user->password) it's still got a record of it being dirty, and so it'll attempt to validate a value for it.
You could potentially mark the field clean with $export->setDirty('password', false); but then when a new password was submitted in the form it wouldn't be saved.
A better option would be to check if the password field was blank before calling patchEntity, and unset it then:
if ($this->request->is(['patch', 'post', 'put'])) {
$data = $this->request->getData();
if(empty($data['password'])){
unset($data['password']);
}
$user = $this->Users->patchEntity($user, $data);
Excuse me if the answer is obvious but whilst I know Java I am very new to Scala, the Play framework and general web app development.
I have taken on a project that has a view where you can set up some database connection details that includes fields such as database name, username, password etc. At present the code uses the Play input helper 'inputText' and so the password field shows the password in plain text. I need to fix this and so have changed it to use the 'inputPassword' helper however whenever I visit this page in my app to edit one of the other fields the password field has not been populated with the password so the user needs to re-enter it in order to save, I do not want to have to do this.
The password populated when it was an inputText helper so I can only assume that there's something in the inputPassword helper that stops the value from populating in the form, maybe it expects the password field to only be used when inputting a new one? Is there a way to override this and have it fill in the on screen form with the password so the user does not have to re-enter in order to change another field on the page?
This is the old version in my view
#inputField(form("password"), '_label -> "Password", '_labelwidth -> "2", 'class -> "form-control", '_type -> "password", '_single -> false)</code>
This is the new version
#inputPassword(form("password"), '_label -> "Password", '_labelwidth -> "2", 'class -> "form-control", '_single -> false, '_type -> "password")
I then have an the templates inputField.scala.html which contains #helper.inputText(field, args:_*) and the inputPassword.scala.html which contains #helper.inputPassword(field, args:_*)
I tried adding 'value -> form("password").value to the parameters in the inputPassword version and whilst this displayed something in stars in the password field the credentials were incorrect so it cannot have been the correct information.
Any help or suggestions are appreciated, even if it is to just understand why inputText populates the field whereas inputPassword does not. The only other way I can think of to do this is possibly to have the password as a separate form on the same page and make it so the password entry is only mandatory when using the page for the initial set up of the database credentials and optional on the edit page.
I don't think it's really necessary to send password values back and forth for security reasons. As an internet user I've never seen form with filled password.
Regarding your case I see two options:
Either separate password change into another form (but this is usually an option if you have more sophisticated password reset process, like two-step verification)
Or apply the following password validation logic on the server: leave the password unchanged if it is empty
I have been creating user login form using the various groupcodes, the user login has to work based on the unique groupcodes.Let me explain these in detail there are two users called (X and Y) exists in the site with the following details
X loginname-testuser#gmail.com pwd- 123456 ,groupcode-TESTCODE
Y loginname-testuser#gmail.com pwd-test124, groupcode-TESTCODE2
My Authcontroller
$adapter = new Zend_Auth_Adapter_DbTable(Zend_Db_Table::getDefaultAdapter(),
'users',
'login',
'password',
'MD5(?)','groupcode','TESTCODE');
$adapter->setIdentity($form->getValue('username'))
->setCredential($form->getValue('password'));
$result = Zend_Auth::getInstance()->authenticate($adapter);
The result alwyas through the Authentication went Wrong error messsage. The default authcontroller takes the idenfity from the both the user rows, it doesn't takes from the user unique row value.
I'm not sure I completely understand the problem, but hopefully one of these solutions can help you.
First, you are passing 7 arguments to the Zend_Auth_Adapter_DbTable constructor, but its constructor only accepts 5 arguments, so groupcode and testcode have no effect in your code.
Since you are probably going to get more than 1 result, setting ambiguity identity flag may work for you. Set it by calling $adapter->setAmbiguityIdentity(true); so that if more than 1 result is returned, it will look at each one for a password match.
If you need to pass groupcode and testcode, then you probably need to create your own auth adapter. You could extend from Zend_Auth_Adapter_DbTable to take advantage of what it has already done, but override authenticate() so that it takes your groups into consideration.
Or, you could use Zend_Auth to check for an identity, but not use its authenticate method at all, and just write your own class to validate the user login, and then use Zend_Auth to set the identity.