RESTful API Usage and Security

[leopeng1995]

One year ago, I tried to use the signin restful api of meanjs, localhost:3000/api/auth/signin, using the following command:

curl -X POST --data "username=<username>&password=<password>" localhost:3000/api/auth/signin | python -m json.tool >> signin.json

and then, in signin.json:

{
    "__v: 0,
    "_id": "5648940efd96a76f152fd563",
    "assets": 0,
    "created": "2015-11-15T14:17:50.347Z",
    "displayName": "<username>",
    "email": "<username>@<company>.com",
    "firstName": "XXX",
    "lastName": "XXX",
    "profileImageURL": "modules/users/client/img/profile/default.png",
    "provider": "local",
    "roles": [
        "user"
    ],
    "username": "<username>"
}

However, when I retried the same command at present, I got the following issue about HTTP Status 411:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Length Required</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Length Required</h2>
<hr><p>HTTP Error 411. The request must be chunked or have a content length.</p>
</BODY></HTML>
{"message":"Missing credentials"}

It seems that I should include the Content-Length in the request? How can I fix it?

Another question is, the password in request is plaintext, how can I encode it and decode it in the server-side? Add a decoder in the controller of the server-side?

[leopeng1995]

Update: I trited to add the header about Content-Length and got the following error:

curl -H "Content-Length: 55" -X POST --data "username=<username>&password=<password>" localhost:3000/api/auth/signin

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://mail.live.com/default.aspx">here</a>.</h2>
</body></html>
{"message":"Missing credentials"}

And another problem, it hanged up indeed!

[leopeng1995]

Update 2: I found a similar problem in the Stack Overflow. It proposed the reason why. Because of the body-parser. But I found meanjs already uses bodyParser in config/lib/express.js. As a result, I am confused.

Actually, when I printed the message of req.body, it shows empty: {}.

[leopeng1995]

Thanks by God, I found the solution of the first problem:

curl -X POST --data "usernameOrEmail=<username>&password=<password>" localhost:3000/api/auth/signin

The key point is the lastest version has changed the "username" to "usernameOrEmail".

[lirantal]

That's right, I was just thinking about that recently. I think that deserves a fix to also support username keyword, what do you think @codydaig @mleanos ?

[codydaig]

I thought we already had support for username and email. I guess I'm confused where this got changed (or if I was dreaming things).

[hyperreality]

It was a fairly recent change: 6a6b630

If you modify line 13 of config/strategies/local.js back from usernameOrEmail to username, and also change the field name in the login form, you would be able to make curl requests in the same manner with the username parameter instead.

I think this also involves questions of whether the username field should be ditched altogether in favour of email addresses to identify users, which I think I saw mentioned somewhere.

[mleanos]

For my own apps, I use email for logins. However, I don't necessarily see the need to enforce that here.

If you modify line 13 of config/strategies/local.js back from usernameOrEmail to username, and also change the field name in the login form, you would be able to make curl requests in the same manner with the username parameter instead.

I think we should do this. Even though we're checking both username & email in the logic, by having a consistent name of "username" that the API & client-side forms use, we would be hiding a bit of the logic from parties that need not know how we're actually performing logins.

[lirantal]

@mleanos agree.

[simison]

@lirantal this can be closed? Seems to be resolved.