- Posts: 12
Password Limitations?
- paul_mcdonald
- Topic Author
- Offline
Less
More
6 years 2 months ago #258
by paul_mcdonald
Password Limitations? was created by paul_mcdonald
I have an app that requires a user to login to the app. They type their username/password (from joomla) into the app. That get's passed to the website (using cAPI). It seems that those that utilize special characters cannot validate.
Has anyone experienced issues with the use of special characters when passing in passwords to validate user?
Has anyone experienced issues with the use of special characters when passing in passwords to validate user?
Please Log in to join the conversation.
- steve.tsiopanos
- Offline
Less
More
- Posts: 163
6 years 2 months ago #259
by steve.tsiopanos
Replied by steve.tsiopanos on topic Password Limitations?
Hi Paul,
This issue has been brought up previously, though it is not really a bug, it's an inherent issue of using a URL string to pass the username and password. While cAPI does provide that capability, it is limited by the fact that URLs will break at certain special characters.
What you want to do is use the BASIC_AUTH capabilities or token based authentication. With BASIC_AUTH, credentials are guaranteed to be pass through the API server correctly.
learn.getcapi.org/intermediate/basic-authentication
After some consideration, the following API method should probably be deprecated:
learn.getcapi.org/api-methods/joomla-api-routes/user/get-user-login-username-password
yourdomain.com/api/v1/login/:username/:password
That's because the moment you include a special character in your password, the URL request will break at that character. A long term solution would be tor require that the password be BASE64 encoded prior to passing it into the URL request.
Note: This is not "security" as BASE64 is not encryption, but rather reversible encoding. It's main purpose in this case would be to allow passwords strings to be passed through via a URL request in such a way that the can be decoded on the receiving end without being adulterated.
Although this is the community support forum, I felt it important to respond to this question because I am sure others have experience this issue as well. My recommendation, to avoid issues with special characters, is to use the BASIC_AUTH method or token authentication (or require your users to create passwords with no spaces, no special characters... not ideal).
This issue has been brought up previously, though it is not really a bug, it's an inherent issue of using a URL string to pass the username and password. While cAPI does provide that capability, it is limited by the fact that URLs will break at certain special characters.
What you want to do is use the BASIC_AUTH capabilities or token based authentication. With BASIC_AUTH, credentials are guaranteed to be pass through the API server correctly.
learn.getcapi.org/intermediate/basic-authentication
After some consideration, the following API method should probably be deprecated:
learn.getcapi.org/api-methods/joomla-api-routes/user/get-user-login-username-password
yourdomain.com/api/v1/login/:username/:password
That's because the moment you include a special character in your password, the URL request will break at that character. A long term solution would be tor require that the password be BASE64 encoded prior to passing it into the URL request.
Note: This is not "security" as BASE64 is not encryption, but rather reversible encoding. It's main purpose in this case would be to allow passwords strings to be passed through via a URL request in such a way that the can be decoded on the receiving end without being adulterated.
Although this is the community support forum, I felt it important to respond to this question because I am sure others have experience this issue as well. My recommendation, to avoid issues with special characters, is to use the BASIC_AUTH method or token authentication (or require your users to create passwords with no spaces, no special characters... not ideal).
Please Log in to join the conversation.
- berti01
- Offline
Less
More
- Posts: 2
4 years 3 months ago #302
by berti01
Replied by berti01 on topic Password Limitations?
Please keep in mind that deprecating the endpoints is not appreciated in cases where you want to actually use the session and session id.
Furthermore, the proper way would be to make it use POST form params or a JSON body instead of GET/URL parameter.
Furthermore, the proper way would be to make it use POST form params or a JSON body instead of GET/URL parameter.
The following user(s) said Thank You: steve.tsiopanos
Please Log in to join the conversation.