Welcome Guest, Not a member yet? Register   Sign In
Myth Auth strong_password
#1

Hi,

I;m using MythAuth for my authentication, when changing the password i;m getting a personal information error that seems wrong to me. The error states the password '95*P$3+J`}&2"b[|qGWUqii&J)OiIU' contains personal information, don't know how because this is generated and seems nothing personal to me. Is there something going wrong within this validation?
Reply
#2

(This post was last modified: 07-28-2022, 01:48 AM by manager.)

(07-27-2022, 12:06 PM)superior Wrote: Hi,

I;m using MythAuth for my authentication, when changing the password i;m getting a personal information error that seems wrong to me. The error states the password '95*P$3+J`}&2"b[|qGWUqii&J)OiIU' contains personal information, don't know how because this is generated and seems nothing personal to me. Is there something going wrong within this validation?

Hi. Can you  show your controller code which process change password method?

It would be really informative if you also include Myth:Auth and your php version too
Reply
#3

Controller has nothing to do with it because it's a rule set to validate; strong_password.

> https://github.com/lonnieezell/myth-auth#services

Latest version of MythAuth installed through composer, no modifications on that file.
PHP Version 8.0.14
Reply
#4

(07-28-2022, 12:09 AM)superior Wrote: Controller has nothing to do with it because it's a rule set to validate;  strong_password.

Do not agree with you. Change password request goes from user to the controller, but Myth AuthController.php don't have appropriate method to process this request, so i guess you added this code and maybe some extra validation. So there is no harm to have a look at this part of code too to eliminate that there is no problem. And please give the exact error message, used username and email values.
Reply
#5

(07-28-2022, 01:40 AM)manager Wrote:
(07-28-2022, 12:09 AM)superior Wrote: Controller has nothing to do with it because it's a rule set to validate;  strong_password.

Do not agree with you. Change password request goes from user to the controller, but Myth AuthController.php don't have appropriate method to process this request, so i guess you added this code and maybe some extra validation. So there is no harm to have a look at this part of code too to eliminate that there is no problem. And please give the exact error message, used username and email values.
Don't see how this would help because my Controller has nothing to do with it but ok...
The error message is translated from MythAuth on key 'errorPasswordPersonal', it's different by language.
See: https://github.com/lonnieezell/myth-auth...th.php#L49


PHP Code:
public function postPassword()
    {
        $setRules = [
            'current' => [
                'label' => lang('Auth.password'),
                'rules' => 'required',
            ],
            'newpasswd' => [
                'label' => lang('Auth.newPassword'),
                'rules' => 'required|strong_password'// As said before, it's only this part `strong_password`
            ],
            'reppasswd' => [
                'label' => lang('Auth.repeatPassword'),
                'rules' => 'required|matches[newpasswd]',
            ]
        ];

        if( !$this->validate($setRules) )
        {
            return redirect()->tourl_to('change_password') )->with('errors'$this->validator->getErrors());
        }
        else {

            $userModel modelUserModel::class );

            if( $user $userModel->where("id"user_id())->first() )
            {
                if (! $this->auth->attempt(['username' => $user->username'password' => $this->request->getPost('current')], false)) {
                    return redirect()->tourl_to('change_password') )->with('errors', ['current' => lang('Auth.invalidCurrentPassword')]);
                }

                $user->password $this->request->getPost('newpasswd');
                
                
if( !$userModel->save($user) ) {
                    return redirect()->tourl_to('change_password') )->with('errors'$userModel->errors());
                }

                return redirect()->tourl_to('change_password') )->with('message'lang('Auth.passwordChangeSuccess'));
            }
        }
    
Reply
#6

(This post was last modified: 07-28-2022, 03:21 AM by manager.)

(07-28-2022, 01:40 AM)manager Wrote: And please give the exact error message, used username and email values.

and 'personal' fields defined in config with there values to reproduce the error.

NothingPersonalValidator only throws 'errorPasswordPersonal' key error.
Reply
#7

(07-28-2022, 03:13 AM)manager Wrote:
(07-28-2022, 01:40 AM)manager Wrote: And please give the exact error message, used username and email values.

and 'personal' fields defined in config with there values to reproduce the error.

NothingPersonalValidator only throws 'errorPasswordPersonal' key error.

PHP Code:
    public $personalFields = [
        'company_name''company_vat''company_coc''first_name''last_name'
        'address''number''extra_nr''zipcode''city''country''phone''comments'
    ]; 
Reply
#8

PHP Code:
    public $personalFields = [
        'company_name''company_vat''company_coc''first_name''last_name'
        'address''number''extra_nr''zipcode''city''country''phone''comments'
    ]; 

Really big list.
In your case validation goes thru NothingPersonalValidator.php class - isNotPersonal() method.
This method looks for personal information in a password. For example first of all it checks is your password equal to your username or email address or the reversed username.
If you have also filled $personalFields , then method will also get there values too to look for personal information. Considering 13 variables in your list there is really big chance that validation will fail.
For example: in "number" field you have a value "95". In this situation validation will fail.
Quick solution in your case is comment from $passwordValidators array nothingPersonalValidator class.
Reply
#9

(07-28-2022, 04:15 AM)manager Wrote:
PHP Code:
    public $personalFields = [
        'company_name''company_vat''company_coc''first_name''last_name'
        'address''number''extra_nr''zipcode''city''country''phone''comments'
    ]; 

Really big list.
In your case validation goes thru NothingPersonalValidator.php class - isNotPersonal() method.
This method looks for personal information in a password. For example first of all it checks is your password equal to your username or email address or the reversed username.
If you have also filled $personalFields , then method will also get there values too to look for personal information. Considering 13 variables in your list there is really big chance that validation will fail.
For example: in "number" field you have a value "95". In this situation validation will fail.
Quick solution in your case is comment from $passwordValidators array nothingPersonalValidator class.

Did that but alternatively i would like this activated, will remove some of the list that should not be so personal after all.
Thanks for thinking with me!
Reply
#10

Of course it would be a good idea to exclude some variables from your list. Luck!
Reply




Theme © iAndrew 2016 - Forum software by © MyBB