Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"The credentials did not match" / UNAUTHORIZED error when logging in with dot (.) in email address #486

Closed
michaelbromley opened this issue Oct 7, 2020 · 1 comment
Assignees
Labels
type: bug 🐛 Something isn't working

Comments

@michaelbromley
Copy link
Member

Describe the bug
I've now received 2 reports of users who had trouble logging in to Customer accounts when the email address contained a dot.

  1. In the first case, the Customer was created & verified in one step via the Admin UI. Eventually he concluded:

    I found out the problem... seems inside first part of the email address, there cannot be a dot...(strange)...
    as i use [email protected] is not ok, but it works after I change to [email protected]

    No idea bout the Vendure version for that one.

  2. In the second case, the Customer was created via registerCustomerAccount and then verified via verifyCustomerAccount. Upon verification, the Customer is authenticated successfully. However, after logging out and attempting to login again, the user got the error:

    {
      "errors": [
        {
          "message": "The credentials did not match. Please check and try again",
          "locations": [
            {
              "line": 2,
              "column": 3
            }
          ],
          "path": [
            "login"
          ],
          "extensions": {
            "code": "UNAUTHORIZED"
          }
        }
      ],
      "data": null
    }
    

    This user was using Vendure v0.15.0, on Windows 10. The email address was of the format [email protected] User confirmed that using an email address without a dot in the first part fixed the issue.

To Reproduce
I cannot reproduce this on the current (v0.16.0) master branch. I also did a fresh @vendure/[email protected] install and again failed to reproduce the issue.

So I am creating this issue to see if we can collect any more instances & data to help reproduce. If you are running into this, please comment below and (ideally) provide a repo that reproduces the issue.

@michaelbromley michaelbromley added the type: bug 🐛 Something isn't working label Oct 7, 2020
@michaelbromley michaelbromley self-assigned this Oct 7, 2020
@michaelbromley
Copy link
Member Author

I'm not 100% sure that this is the cause, but I have discovered a bug in the NativeAuthenticationStrategy:

Reproduction

  1. Create a verified Customer (either via Shop API or Admin API - doesn't matter) with email address '[email protected]'
  2. Delete that Customer via the Admin UI
  3. Create a new Customer, also with the email address '[email protected]' but a different password than the first
  4. Attempt to log in as that Customer.
  5. Get "invalid credentials" error.

The reason is this method in NativeAuthenticationStrategy:

private getUserFromIdentifier(ctx: RequestContext, identifier: string): Promise<User | undefined> {
return this.connection.getRepository(ctx, User).findOne({
where: { identifier },
relations: ['roles', 'roles.channels'],
});
}

This DB lookup is not adding the deletedAt: null condition, so it will find the first (deleted) User and the passwords will not match.

Adding an e2e test for this with the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: bug 🐛 Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant