I would like to use an email address as the UserName. I can "/register" with only Email and Password (UserName is Nullable in the AuthUser table), but cannot then "/authenticate" because UserName is NULL. If I copy Email over to UserName in the AuthUser table, I can successfully "/authenticate".
The problem is that an email address has invalid characters according to the validation RegEx in the IsValidUsername method of the AuthFeatureExtensions class and so, you can't "/register" with UserName = email address.
I'm stuck on how to override that if possible?
Thanks,
Jay
ServiceStack Authentication already naturally supports authenticating by Email. When you authenticate with a Username that contains a '#' the ServiceStack will check the Email field instead of the Username.
So don't copy anything over, when you register just leave the Email in the Email field and the Username blank and it will work.
Related
I have my Ldap working the only issue i'm facing was when I try to login with email that is when I land in the else part in the below code. If my username is different from email then it throws error. i.e if my email is 'skumar#gmail.com' and my username is 'saurakumar' then it will through invalid username password error.
As internally I'm using username to make email i.e if the user login with name 'karan' then i'm expecting the email to be karan #gmail.com which is not true in many scenario and the Authentication fails. I'm looking for some solution wherein I can login either via email or via username I'll be able to authenticate user. Below is the snippet of my code. Please suggest?
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
ldapEnv.put(Context.PROVIDER_URL, url);
ldapEnv.remove(Context.SECURITY_PROTOCOL);
if (email == null) {
lContext = new InitialLdapContext(ldapEnv, null);
entryResult = searchUserEntry(lContext, user, searchCtrls);
final String usrDN = ((Context) entryResult.getObject()).getNameInNamespace();
lContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
lContext.addToEnvironment(Context.SECURITY_PRINCIPAL, usrDN);
lContext.addToEnvironment(Context.SECURITY_CREDENTIALS, pass);
lContext.reconnect(null);
} else {
ldapEnv.put(Context.SECURITY_PRINCIPAL, email);
ldapEnv.put(Context.SECURITY_CREDENTIALS, credentials);
lContext = new InitialLdapContext(ldapEnv, null);
return lContext;
searchUserEntry(lContext, user, searchCtrls);
}
Normally this is a 3-step process:
Bind to LDAP as an administrative user. Note that this should not be the master user defined in the configuration file: that's for OpenLDAP's use itself. Instead it should be a user mentioned in the DIT that has the appropriate search access for the next step.
Search for the user via some unique attribute, e.g. in your case email.
Using the found DN of the user and the password he specified, attempt to bind as that user (with the reconnect() method, after changing the environment of the context appropriately).
If all that succeeds, you have a login success. If (2) or (3) fail, you have a failure, and note that you should not tell the user which it was: otherwise you are leaking information to attackers. You should not mention whether it was the username (email) or the password that was wrong.
I am working on ATG11.2 , my requirement is as below:
User will click on forgot password button, a link with encoded user id and a temporary password will be sent to email. User will click on the link sent in email and will be redirected to ResetPassword.jsp where he will get an option to fill temporary password which is sent in email, new password and confirm password respectively
I am using ForgotPasswordHandler for this implementation. I have read that forgotpasswordhandler method replaces the password property with the new generated password. Therefore m storing the input box value of temporary password in ProfileFormHandler.value.oldpassword
The values are as below:
Temporary Password :
New Password:
ConfirmPassword
But , when I am debugging handleChangePassword method in ProfileForm it is not able to compare the passwords properly. Please suggest if my approach is correct , or what do I need to override in gmethod if any required.
ATG stores passwords in encrypted format.
You need to store your oldPassword in encrypted format too. The passwords will not be equal unless both the passwords are hashed and are same.
I am new to LDAP API. I am able to connect to a LDAP server and search the user. How would I authenticate a user with email/password using UnboundID LDAP API ?
I have not seen any authentication in LDAP which uses email and password to authenticate user?
Is it Possible to authenticate the user using email and password
What I am doing to authenticate the user given as below
Searching below the USERS Directory and matching Email and Finding his DN
Based on DN connecting the user and if Connection Successful, Authenticate the user or Execption occurs in Connecting then user is not Authenticated
Is there right way to authenticate the User?
You have to do two steps.
Using an administrative login, search the directory for the user.
Using that user's DN and the password he supplied, attempt to bind.
If either didn't succeed, either the identity or the password is incorrect.
Using the UnboundID LDAP SDK, this simple piece of code searches for the entry. If there is one entry that has the known email address, BIND using that DN (the password has to come from someplace else). Nothing happens (authenticated is false) is there is more one entry that matches the search parameters or if no entries match the search parameters. This code assumes that baseObject is dc=example,dc=com, subtree search is required, and the attribute with the email address has an alias mail. The code also assumes there is a bindDN and bindPassword that has sufficient access rights to search for the user with the email address. The email address for which it searches is assumed to be babs.jensen#example.com.
Exceptions are ignored throughout.
String baseObject = "dc=example,dc=com";
String bindDN = "dn-with-permission-to-search";
String bindPassword = "password-of-dn-with-permission-to-search";
// Exceptions ignored.
LDAPConnection ldapConnection =
new LDAPConnection(hostname,port,bindDN,bindPassword);
String emailAddress = "babs.jensen#example.com";
String filterText = String.format("mail=%s",emailAddress);
SearchRequest searchRequest = new SearchRequest(baseObject,
SearchScope.SUB,filterText,"1.1");
SearchResult searchResult = ldapConnection.search(searchRequest);
boolean authenticated = false;
if(searchResult.getEntryCount() == 1)
{
// There is one entry with that email address
SearchResultEntry entry = searchResult.getSearchEntries().get(0);
// Create a BIND request to authenticate. The password has
// has to come from someplace outside this code
BindRequest bindRequest =
new SimpleBindRequest(entry.getDN(),password);
ldapConnection.bind(bindRequest);
authenticated = true;
}
else if(searchResult.getEntryCount() > 1)
{
// more than one entry matches the search parameters
}
else if(searchResult.getEntryCount() == 0)
{
// no entries matched the search parameters
}
What is the best way to reset password only with token?
Now it mades with token and email, I want to get an email by checking tocket in reminders table.
Thanks!
Update
Resolved this by:
$email = DB::table(Config::get('auth.reminder.table'))->where('token', $token)->pluck('email');
Here's how I do password resets.
User clicks Forgot Password link and is taken to a form with one field for email.
They enter their registered email address and I check the email exists in the DB. If it does, I store a random reset code for that user using Str::random(60). I then save the user and email them a link with a reset code (eg. http://domain.com/reset/CODE).
User clicks the link and is taken to the URL above which checks the CODE. If the CODE exists in the DB, the password for the matching user is reset to something random using Str::random(10) and this new password is mailed to the user.
Not sure if this is right/wrong, but it works for me.
By default, devise uses an email address for sign up and sign in.
But I want that the email address should be allowed to be changed by the user.
If I allow the user to edit the email address, and the user specifies an "incorrect" (i.e. a typo by mistake) email address and then user signs out, and the user also forgets what the typo'ed email was, now the user account is inaccessible by the user!
How to best work around this? (except for creating a separate, unchangeable username field that will always allow user to login)
You can force the user to confirm his account again if he changes his email.
Once, you updated the password of the concerned user, you need to un-confirm the user, and then re-send the confirmation email.
To unconfirm the user :
user = User.find(1)
if user.confirmed?
user.confirmed_at = nil
user.save(:validate => false)
end
To resend the email confirmation :
user = User.find(1)
user.send_confirmation_instructions
Hope this help !
Devise does this out of the box. Here is the info from the initializer:
# If true, requires any email changes to be confirmed (exactly the same way as
# initial account confirmation) to be applied. Requires additional unconfirmed_email
# db field (see migrations). Until confirmed new email is stored in
# unconfirmed email column, and copied to email column on successful confirmation.
config.reconfirmable = true
In confirmable module you may see how it works.