Redirect Notice
As of April 12th, you must go to Progress SupportLink to create new support cases or to access existing cases. Please, bookmark the SupportLink URL and use the new portal to contact the support team.
How can we help you today?
Invalid credentials,After I run an user update from a custom Endpoint
4 CommentsSorted by Oldest First
Gal
said
over 8 years ago
Hi, as a security measure, Kinvey strips out the user's password before returning it as part of the results from a collectionAccess.find() command in BL. Since when you call update() and pass a user object as the second argument, the user with the matching ID is replaced by the object in the argument, this causes your users to have missing passwords.
In order to update certain properties within the user entity without overriding the entire object, you should use the mongo $set operator, which you can read about [here](http://docs.mongodb.org/manual/reference/operator/update/set/ "docs.mongodb.org/manual/reference/operator/update/set/").
In order to update certain properties within the user entity without overriding the entire object, you should use the mongo $set operator, which you can read about [here](http://docs.mongodb.org/manual/reference/operator/update/set/ "docs.mongodb.org/manual/reference/operator/update/set/").
Than you! It's working with $set.
Hi Gal,
The password field should also be write protected not only read protected. That would be secure and safe for devs at the same time.
Thx.
V3ga
> @Gal said:
> Hi, as a security measure, Kinvey strips out the user's password before returning it as part of the results from a collectionAccess.find() command in BL. Since when you call update() and pass a user object as the second argument, the user with the matching ID is replaced by the object in the argument, this causes your users to have missing passwords.
>
> In order to update certain properties within the user entity without overriding the entire object, you should use the mongo $set operator, which you can read about [here](http://docs.mongodb.org/manual/reference/operator/update/set/ "docs.mongodb.org/manual/reference/operator/update/set/").
Gal
said
over 8 years ago
Hi @v3ga, that is absolutely true, and in fact we have a fix for this scheduled for an upcoming release!
adrianaNik
I have a custom endpoint which update every row from user collection. After I run this endpoint, I logout and trying to login again: Kinvey,user.login return me Invalid credentials. After I reset password I can login.
Which is my error, or which can be the cause?
This is my custom point:
function onRequest(request, response, modules) {
var logger = modules.logger;
var collectionAccess = modules.collectionAccess;
var org_id=request.body.org_id;
var id=request.body._id;
collectionAccess.collection('user').find({organizationID: org_id, deleted: 0,accountType:2},function (err, users){
if( err || !users ){ response.complete(); }
var no=users.length;
users.forEach(function(user){
user.first_name=(typeof user.first_name!='undefined')? user.first_name.trim() : '';
user.title_normalized=(typeof user.title!='undefined')? user.title.trim().toLowerCase() : '';
user.last_name=(typeof user.last_name!='undefined') ? user.last_name.trim() : '';
var name= user.first_name+' '+user.last_name;
user.name_normalized=name.toLowerCase();
no--;
if(user._id!=id) collectionAccess.collection('user').update({"_id":user._id},user,function(err,user){ if(no
else if(no
//if(no
}); //foreach
});
}