Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

abpAccountWebModule, checkPassword method why not need authorize #2287

Closed
cqgis opened this issue Dec 1, 2019 · 1 comment · Fixed by #2293
Closed

abpAccountWebModule, checkPassword method why not need authorize #2287

cqgis opened this issue Dec 1, 2019 · 1 comment · Fixed by #2293
Assignees
@maliming

Comments

@cqgis
Copy link

cqgis commented Dec 1, 2019

checkPassword method why not need authorize? is it not safe?

  [RemoteService]
    [Controller]
    [ControllerName("Login")]
    [Area("Account")]
    [Route("api/account")]
    public class AccountController : AbpController
    {
   ...
        [HttpPost]
        [Route("checkPassword")]
        public virtual async Task<AbpLoginResult> CheckPassword(UserLoginInfo login)
        {
            ValidateLoginInfo(login);
            var identityUser = await _userManager.FindByNameAsync(login.UserNameOrEmailAddress);

            if (identityUser == null)
            {
                return new AbpLoginResult(LoginResultType.InvalidUserNameOrPassword);
            }

            return GetAbpLoginResult(await _signInManager.CheckPasswordSignInAsync(identityUser, login.Password, true));
        }
...
}
@maliming maliming self-assigned this Dec 1, 2019
@maliming
Copy link
Member

maliming commented Dec 1, 2019

It is similar to the Login method, no authorize is required, but I found that it should call ReplaceEmailToUsernameOfInputIfNeeds

@maliming maliming added this to the 1.1 milestone Dec 1, 2019
@hikalkan hikalkan modified the milestones: 1.1, 1.2 Dec 2, 2019
maliming added a commit that referenced this issue Dec 2, 2019
@maliming
CheckPassword method should call ReplaceEmailToUsernameOfInputIfNeeds.
88a13e9 
Resolve #2287
@maliming maliming mentioned this issue Dec 2, 2019
Merged
@hikalkan hikalkan removed this from the 1.2 milestone Dec 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maliming maliming

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

CheckPassword method should call ReplaceEmailToUsernameOfInputIfNeeds. abpframework/abp
3 participants
@hikalkan @maliming @cqgis