Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix no session on social Logins #1164

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

MassivDash
Copy link
Contributor

Because social tokens are constructed via await access.grantAccess(user, req, user.passwordHash), and password_hash was missing session could not be established.

Because social tokens are constructed via await access.grantAccess(user, req, user.passwordHash), and password_hash was missing session could not be established.
erasing old password value
@@ -14,10 +15,12 @@ export async function onAuthenticationSuccess(req, res) {
}

export const registerUser = async ({ id, username, displayName, emails: [{ value }] }) => {
const passwordHash = await bcrypt.hash(id || username || displayName, 12);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we use id or username or displayName as a password? Why do we use 12 as a salt?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have replicated the brcypt password hash creation from the access modules, it had 12 as salt. Since social user passport strategy has no user password filed, we need to create whatever password in order for the social tokens to be created. I thought might as well create the password from user outside id, like it was before but if Is is missing the create one from display name. My assumption is that either user will continue to login through social or he will request forgot password.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need a password at all for social users, because this field is not used as a password. I think the better approach is to handle the case elsewhere in the code that password might be actually missing: #1165

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants