Reputation: 2345
Loopback updateAttributes setting password deletes token?
I got an endpoint method named 'changePassword' with http path '/:id/changePassword' inside the method i find the account by id and update the password attribute of the model but the problem is that the password do change and gets updated but also the access token gets deleted for no reason.
Current Code
instance.hasPassword(data.oldPassword, function(err, isMatch) {
if (isMatch) {
instance.updateAttributes({'password': data.password}, function(errUpdateAccount, updatedAccount) {
if (!errUpdateAccount) {
return cb(null, {
status: 200
});
} else {
return cb(errUpdateAccount);
}
});
}
});
Upvotes: 1
Views: 771
Answers (1)
Reputation: 30430
Yes, this is the new behavior. If the whole user object is changed(User.update and friends), or just the password, all the user access tokens are invalidated.
Here's the what one of the project collaborators said regarding it:
Logging out users is important for security reasons. Consider the case when somebody hacks your email that you used when registering with a LoopBack-powered app. After you find this, you log into the app and change the email to a different one that wasn't hacked. Without session (access token) invalidation, the attacker would remain logged into your account and you would have no way how to log them out.
Having said that, I agree that this makes the user experience less optimal. I am proposing to allow the end user to decide whether they want to log out other sessions or not, see #3071
Right now there's just an open issue for this(#3071) with no pull request. There's no clean workaround for this.
If you are really desperate to have a solution, then you can monkey-patch loopback:
I had a look at the code, and found this part is responsible for it, which calls the User._invalidateAccessTokensOfUsers. Since I haven't found that any where else in the project using this function, I guess what you can do a risky move to override it to do nothing:
app.models.User._invalidateAccessTokensOfUsers = (ids, cb) => process.nextTicke(cb);
This is the best way I can think of to fix the problem until they resolve this bug(#3071). Note that you should make sure your code and your dependencies also don't use _invalidateAccessTokensOfUsers and also loopback doesn't start using it in other places. Comment it well and don't forget to remove it and be very careful.
Upvotes: 2
Related Questions
- Password reset is not working in loopback 3.0
- How to invalidate a user token in loopback?
- Set access token in Loopback with React
- Permanent token on loopback
- Creating Permanent AccessToken in loopback
- Reset Loopback Password with Access Token
- loopback how to customize authentication
- Loopback: Event resetPasswordRequest not called after reset
- can i change user model credentials in loopback?
- Log in user with one-time token using Loopback