How to ensure a user's email is verified before they can sign in - needs feathers-authentication changes #17
Comments
|
|
eddyystop
changed the title
|
Could you maybe comment:
|
|
@marshallswain ^^^ The hooks to do this yourself are documanted https://auk.docs.feathersjs.com/api/authentication/local-management.html#hooks Code: https://github.com/feathers-plus/feathers-authentication-management/blob/master/src/hooks.js#L42 |
|
Thanks for the reference to the docs. I am not sure what is best practice:
Currently my setup is 1 and it works, but 2 makes sense as the original issue already mentioned 'bots could easily make lots of accounts etc.'. When choosing 2 I would not know how to do it as the isVerified is a property of user, so you first need to create a user to have isVerified set to true, right?! |
|
I found this article and for now I will move forward using process 1. |
|
Interesting. Most people tend to go with option 2. |
|
@eddyystop giving this package a try today and also having same problem (i.e. in my case I can get login token without email is verified). I can understand when you write above that
But where should I use that hook to disallow auth token creation or login for those with email not verified? Thanks! |
|
Are you using the isVerified hook? That will prevent a successful login regardless of what you get back. This repo works in conjuction with the Feathers authentication routines, it does not, and it cannot, override them. |
|
I have not use isVerified hook yet because no idea where to put them. But I found a workaround by customizing authentication-local verifier as per this documentation Since I am using Feathers CLI. My modification is in \src\authentication.js A bit of a hack. It works, but please let me know if I should do something else. |
|
@HarisHashim You should be using the isVerified and addverification hooks as described in https://github.com/feathers-plus/feathers-authentication-management/blob/master/src/hooks.js rather than hacking authentication-local. |
|
Can I get sample code on how to do this? Something like adding hook for autentication-local in the same source code file? |
|
@HarisHashim I believe the article explains what to do. |
|
I don't know if you still need help with this issue but the solution is very simple: add the Example: (You only need to add two lines to this service) // Your imports
// !!! Import the verification hooks
const verifyHooks = require('feathers-authentication-management').hooks;
// src/authentication.js
module.exports = function (app) {
const config = app.get('authentication');
// Set up authentication with the secret
app.configure(authentication(config));
app.configure(jwt());
app.configure(local());
app.configure(oauth2(Object.assign({
name: 'google',
Strategy: GoogleStrategy
}, config.google)));
app.configure(oauth2(Object.assign({
name: 'facebook',
Strategy: FacebookStrategy
}, config.facebook)));
// The `authentication` service is used to create a JWT.
// The before `create` hook registers strategies that can be used
// to create a new valid JWT (e.g. local or oauth2)
app.service('authentication').hooks({
before: {
create: [
authentication.hooks.authenticate(config.strategies),
verifyHooks.isVerified() // !!! Add the isVerified hook before authentication
],
remove: [
authentication.hooks.authenticate('jwt')
]
},
after: {
create: [
context => {
// Add the user to the result response
context.result.user = context.params.user;
// Don't expose sensitive information.
delete context.result.user.password;
}
]
}
});
}; |
|
I believe the all issues here have been addressed. If you have any new comments please make them in authenticate-local-management rewrite. Full details on the rewrite are posted to https://github.com/feathers-plus/authentication-local-management/blob/master/misc/upgrading.md |
Related to feathersjs-ecosystem/authentication#391.
Original bug report by @IBwWG
OK, so, as a newcomer, I really am not sure where exactly this issue fits into this repo, but @eddyystop is pretty involved here so I'm taking his word for it. :) (Original issue is at https://github.com/eddyystop/feathers-starter-react-redux-login-roles but I'm assured that it's not about that repo.)
Steps to reproduce
Expected behavior
Failure, since I never verified with the "e-mailed" token. (i.e. I didn't use the link that appears in the console at step 4.)
Actual behavior
Success and JWT token given via JSON. If you scrap the Accept header in step 5, you get a similar result served up in HTML.
System configuration
This is happening both on a Windows box and a Linux box am I testing on.
Module versions (especially the part that's not working):
feathers-authentication 0.7
feathers 2.0.3
NodeJS version:
Windows: node 7.3.0
Linux: node 6.9.2
Operating System:
Windows: 7x64sp1
Linux: Mint 17.3 (32-bit)
Module Loader:
see https://github.com/eddyystop/feathers-starter-react-redux-login-roles
I think the main issue is around documentation or we should have a hook that someone can use to ensure that an email exists and has been verified. Currently the way I see this working is a hook after
auth.hooks.authenticateor it is a custom verifier forfeathers-authentication-localthat upon looking up the user by email also ensures that the email has been verified.The text was updated successfully, but these errors were encountered: