Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verifyPassword endpoint should accept POST #7784

Open
3 tasks done
cbaker6 opened this issue Jan 24, 2022 · 3 comments
Open
3 tasks done

verifyPassword endpoint should accept POST #7784

cbaker6 opened this issue Jan 24, 2022 · 3 comments
Labels
type:feature New feature or improvement of existing feature

Comments

@cbaker6
Copy link
Contributor

cbaker6 commented Jan 24, 2022
edited
Loading

New Feature / Enhancement Checklist

Current Limitation

verifyPassword currently only accepts get. Most of the endpoints have been moved to accept POST, but not this one. When using GET with verifyPassword, it sends the username and password being verified allowing this data to be cached.

parse-server/src/Routers/UsersRouter.js

Lines 493 to 495 in 350b59a

this.route('GET', '/verifyPassword', req => {
return this.handleVerifyPassword(req);
});

Feature / Enhancement Description

Use POST instead and SDK's should change to POST. I currently only found this being used in the JS SDK, though I have an implementation of it for the Swift SDK that I haven't merged yet. I don't plan on merging the Swift version with GET. Of course, it can also be accessed via REST.

Maybe get rid of GET here? Maybe it's needed for backwards compatibility? Just a thought...

Example Use Case

  1. User is logged in
  2. User attempts to verify their password. Hit the verifyPassword endpoint with a POST (instead of GET)

Alternatives / Workarounds

Use GET or don't use verifyPassword/

3rd Party References

Previous Issue #4052, PR: #4268
@parse-github-assistant
Copy link

parse-github-assistant bot commented Jan 24, 2022
edited
Loading

Thanks for opening this issue!

  • 🎉 We are excited about your ideas for improvement!

@mtrezza
Copy link
Member

mtrezza commented Jan 24, 2022
edited
Loading

I also think it should be POST because:

  • the request changes something on the backend, so according to http spec it should not be GET
  • username potentially an email address) is PII and should not be in logs

@mtrezza mtrezza added the type:feature New feature or improvement of existing feature label Jan 24, 2022
@mtrezza
Copy link
Member

mtrezza commented Jan 24, 2022
edited
Loading

Mixed up the endpoints in my previous comment, verifyPassword is not changing anything on the backend side, it's an idempotent operation, which speaks for GET. However, the HTTP specs allow to use POST for idempotent ops if there is a good reason, which I think is given considering that we don't want sensitive info in logs.

This almost contradictory spec of RFC2616 / HTTP/1.1 which implies that an idempotent request has to expose parameters as part of the URL due to lack of a request body is slowly softening up. RFC 7230-7237 (2014) does not explicitly demand that the request body of a GET request should be ignored. This opens up the possibility to add a body to a GET request. However, we may run into compatibility issues on systems where the request is parsed in a "conservative" way and any body of a GET request being discarded.

So for the time being, switching to POST seems to be the way to go.

@cbaker6 cbaker6 mentioned this issue Jan 25, 2022
Merged
5 tasks
@parseplatformorg parseplatformorg mentioned this issue Mar 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:feature New feature or improvement of existing feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mtrezza @cbaker6