CommunityAuth Password Characters |
We're running into an issue with CommunityAuth and passwords and I'm not quite sure where to look to configure to either block or allow...
If a user includes a '&' (ampersand) character in their password it's allowing the change to go ahead but then they can't login, so the & is being misinterpreted at some point. Ideally I'd like to block specialchars and just allow alphanumeric. Any pointers? Thanks Steve
OK, figured out how to add 'alpha_numeric' to block specialchars, but would still like to figure out the ampersand one (I looked at my password and it does actually have specialchars in it, just not &).
Back in the old days Community Auth came with a very full featured example application that allowed people to see how Community Auth could be used. 2 or 3 years ago that changed, and Community Auth only came with a very basic example application, because the older full featured one was a headache for anyone who had an existing application. Now, it cannot be said enough, the current example application is not for you to base anything off of. It's just an example so you can see that Community Auth works. Nothing more... and there will probably be bugs like this ++. Please do yourself a favor and treat the example application as an example, and then build your own application.
I would suspect that the password is escaped, and thus an "&" is changed to "&". I have not looked into the source code yet, though.
But like @skunkbad said, don't use the library as is. Currently I am doing a project where the authentication is based on both Community Auth and Ion Auth, with heavy modifications specific to my project. I think that's the way to go (I like looking at examples on how others have solved certain challenges).
Found the issue, in the _change_password function it's using set_value to pull the contents from POST, set_value encodes characters automatically. So instead I changed those to pull from $this->input->POST instead.
Patch diff attached. And I fully understand the "use it as an example and write your own implementation", I have done that for the controllers where it was too messy to unpick the code, but a lot of the functions that are in the models (like _change_password) are pretty much core to an authentication plugin so I'm not going to completely reinvent the wheel (if I wanted to do that I'd have written my own authentication piece in the first place) - and yes I can copy/paste them into my own models but then if updates are made in the code repo to fix bugs etc. then I'd have even more work to do to fix that. Maybe some of that core functionality that's in the examples should be moved more central into the plugin/library? |
Welcome Guest, Not a member yet? Register Sign In |