Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"The provided credentials are invalid" with complex password #1070

Closed
rrrnld opened this issue Sep 4, 2021 · 2 comments
Closed

"The provided credentials are invalid" with complex password #1070

rrrnld opened this issue Sep 4, 2021 · 2 comments
Assignees
Labels
type: bug 🐛 Something isn't working

Comments

@rrrnld
Copy link

rrrnld commented Sep 4, 2021

Describe the bug
When trying out vendure via npx @vendure/create … I was not able to login when using a complex password. I could fix the problem by using a simpler password, which makes me think that this is a problem with an incorrectly escaped SQL query.

To Reproduce
Steps to reproduce the behavior:

  1. Run npx @vendure/create some-folder
  2. When asked for the superadmin password, enter 7WMe_kh;h0n/H!"K/AD[2z|x
  3. Wait for the setup to finish
  4. Try to login via the admin UI
  5. Logging in fails with the notification "The provided credentials are invalid"

Expected behavior
As I'm using a password manager to generate my passwords, I'd expect the system to be able to handle pretty much any password that you throw at it (no restriction in character set and a reasonably high restriction in maximum password length, say 128 chars). I'd also expect the system to warn me if I'm using a password that does not meet its requirements.

Environment (please complete the following information):

  • @vendure/core version: 1.2.0
  • Nodejs version: 16.8.0
  • Database (mysql/postgres etc): SQLite

Finally let me say, thank you for working on vendure and providing it for free!

@rrrnld rrrnld added the type: bug 🐛 Something isn't working label Sep 4, 2021
@michaelbromley
Copy link
Member

Thanks for the report. This is interesting and unexpected, since we are using bcrypt to hash the password before putting it in the db. Possibly the error is originating somewhere higher on the stack.

@michaelbromley
Copy link
Member

OK, I tested this first of all by creating a new Administrator in an existing project using the password above, and all worked as expected.

So I followed your reproduction instructions with a new project and I found the issue - when generating the vendure-config.ts file during project scaffold, the string entered is not correctly escaped, so the resulting config looks like this:

    authOptions: {
        superadminCredentials: {
            identifier: 'superadmin',
            password: '7WMe_kh;h0n/H!"K/AD[2z|x',
        },
    },
  • notice that the " char has been escaped as ". I think this is done by Handlebars, which is used to interpolate the wizard values into the config file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: bug 🐛 Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants