Uploaded image for project: 'mod-login'
  1. mod-login
  2. MODLOGIN-129

POST to /authn/credentials accepts empty string for password

    XMLWordPrintable

Details

    • CP: sprint 90
    • Core: Platform
    • Q2 2020

    Description

      A POST request to authn/credentials allows for passwords consisting of an empty string. This should not be permissible. 

      POST https://folio-snapshot-okapi.aws.indexdata.com/authn/credentials

{
  "password":"",
  "username":"testy",
  "userId":"011bb48f-6ed3-4e62-b5b1-cf909dc7f8ce",
  "id":"6d924f95-671a-48b8-b0bd-9c0b6c4d448a"
}

      N.B. This also applies to POST authn/update and should be addressed in both places.

      TestRail: Results

        Attachments

          Issue Links

            is blocked by

            Bug - A problem which impairs or prevents the functions of the product. MODLOGIN-131 reset password fails if credentials record does not already exist

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. UIU-1671 do not create credentials record when adding username

            • TBD - To be determined
            • Closed
            relates to

            Bug - A problem which impairs or prevents the functions of the product. MODLOGIN-128 It is possible to fetch password hashes for all users

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODLOGIN-132 Do not return credential hash/salt when posting credentials

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODLOGIN-133 Remove PUT /authn/credentials/<id>

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODLOGIN-134 Refactor DELETE /authn/credentials/<id>

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. UIU-1672 if username is present, display "send reset password" link

            • TBD - To be determined
            • Closed

            Activity

              People

                cmcnally Craig McNally
                zburke Zak_Burke
                Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases