Start a new topic

Invalid credentials,After I run an user update from a custom Endpoint

Hi!

I have a custom endpoint which update every row from user collection. After I run this endpoint, I logout and trying to login again: Kinvey,user.login return me Invalid credentials. After I reset password I can login.



Which is my error, or which can be the cause?



This is my custom point:

function onRequest(request, response, modules) {

var logger = modules.logger;

var collectionAccess = modules.collectionAccess;

var org_id=request.body.org_id;

var id=request.body._id;



collectionAccess.collection('user').find({organizationID: org_id, deleted: 0,accountType:2},function (err, users){

if( err || !users ){ response.complete(); }

var no=users.length;



users.forEach(function(user){

user.first_name=(typeof user.first_name!='undefined')? user.first_name.trim() : '';

user.title_normalized=(typeof user.title!='undefined')? user.title.trim().toLowerCase() : '';

user.last_name=(typeof user.last_name!='undefined') ? user.last_name.trim() : '';

var name= user.first_name+' '+user.last_name;

user.name_normalized=name.toLowerCase();

no--;

if(user._id!=id) collectionAccess.collection('user').update({"_id":user._id},user,function(err,user){ if(no
else if(no
//if(no
}); //foreach

});



}

Hi, as a security measure, Kinvey strips out the user's password before returning it as part of the results from a collectionAccess.find() command in BL. Since when you call update() and pass a user object as the second argument, the user with the matching ID is replaced by the object in the argument, this causes your users to have missing passwords.



In order to update certain properties within the user entity without overriding the entire object, you should use the mongo $set operator, which you can read about [here](http://docs.mongodb.org/manual/reference/operator/update/set/ "docs.mongodb.org/manual/reference/operator/update/set/").
Than you! It's working with $set.
Hi Gal, The password field should also be write protected not only read protected. That would be secure and safe for devs at the same time. Thx. V3ga > @Gal said: > Hi, as a security measure, Kinvey strips out the user's password before returning it as part of the results from a collectionAccess.find() command in BL. Since when you call update() and pass a user object as the second argument, the user with the matching ID is replaced by the object in the argument, this causes your users to have missing passwords. > > In order to update certain properties within the user entity without overriding the entire object, you should use the mongo $set operator, which you can read about [here](http://docs.mongodb.org/manual/reference/operator/update/set/ "docs.mongodb.org/manual/reference/operator/update/set/").
Hi @v3ga, that is absolutely true, and in fact we have a fix for this scheduled for an upcoming release!
Login or Signup to post a comment