Login HTTP endpoint is insecure #38

Closed
opened 2019-05-10 22:06:42 -04:00 by kdeng00 · 0 comments
kdeng00 commented 2019-05-10 22:06:42 -04:00 (Migrated from github.com)

Currently there is not a check done against the database to validate that the user credentials sent with the request to the /api/login HTTP endpoint is valid. Below is a list of ways to secure the login HTTP endpoint:

  • Validate that the user exists in the database and handle the situation accordingly if it does not exist
  • Validate that the password sent with the request matches that which is saved in the database record. The password is encrypted with Bycrypt. Look at the Register API Controller as well as the PasswordEncryption class for how the user is saved to the database
  • Issue an access token only when the user has been successfully validated
Currently there is not a check done against the database to validate that the user credentials sent with the request to the /api/login HTTP endpoint is valid. Below is a list of ways to secure the login HTTP endpoint: * Validate that the user exists in the database and handle the situation accordingly if it does not exist * Validate that the password sent with the request matches that which is saved in the database record. The password is encrypted with [Bycrypt](https://github.com/BcryptNet/bcrypt.net). Look at the [Register](https://github.com/amazing-username/Icarus/blob/master/Controllers/RegisterController.cs) API Controller as well as the [PasswordEncryption](https://github.com/amazing-username/Icarus/blob/master/Controllers/Utilities/PasswordEncryption.cs) class for how the user is saved to the database * Issue an access token only when the user has been successfully validated
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: phoenix/icarus#38