Sending empty password on user update
  • Hi,

    it seems like it's possible to save an empty password for a user. I've been filtering empty input parameter through my interface, but while working on a remake I forgot catch that now and sent following httpBody to the server:

    apsws.id=dummy&login=dummy&apsws.time=1420707900.501008&password=&apsws.authSig=4E34C1A0BC108CA6D1C9ADCC6F3E8774B3FD8C73&apsws.responseType=json&apsdb.update=true&hashedPassword=D41D8CD98F00B204E9800998ECF8427E&


    Action: SaveUser

    authSig was created with user credentials (COMPLEX)


    As you will see I also change the hashedPassword to stay synchronised with the FacebookAPI and hashedPassword is the md5 value for "" 


    I'm curious about how the server handles this request as I get a SUCCESS for the SaveUser request but after that I'm not able to login anymore


    Regards Daniel

  • Hi Daniel,

    The documentation of the SaveUser  API on the Apstrata wiki mentions that the password is not mandatory upon update, and that it will be set to an empty value if sent empty. Therefore, the behavior that you are describing is the expected one.

    Note that the hashed password field is not part of the SaveUser API and was actually added to enable the creation of users who signed in with Facebook.

    Regards,
    Karim


  • Hi Karim,

    thx for the answer, that's what I expected.

    You are right, the hashedPassword is for the FacebookSDK, I added it to our solution because I combine two different login processes so a user might sign up with credentials first and later on add the Facebook login.

    Regards Daniel

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!