When updating the user password, the password is stored in not hashed

[LoicMahieu]

Step to reproduce:

• Create a sample app slc loopback
• Expose User model with public: true
• Create a new user: POST /Users { "password": "foo", "email": "foo@bar.com" }
• Try to authenticate with password foo
• It success
• Update the user with new password: PUT /Users/1 { "password": "bar" }
• Try to authenticate with password bar
• It fails

Diagnostic:

It seems that the setter results (see UserModel.setter.password) is not used as "data" for the connector, see: DataAccessObject.prototype.updateAttributes . So I think that setter results is never saved in db.

It is really critic because it causes the User model not usable.

Versions:

├─┬ loopback@2.26.2
│ ├── loopback-connector-remote@1.0.3
│ ├── loopback-phase@1.3.0
│ └── strong-remoting@2.25.0
├── loopback-boot@2.16.0
├── loopback-component-explorer@2.3.0
├── loopback-connector-mysql@2.2.0
└── loopback-datasource-juggler@2.45.0

[0candy]

I am not sure if you are using explorer. But if you are, after you authenticate the first time, you need to set the access token at the top of the explorer page before you can update the password.
https://docs.strongloop.com/display/public/LB/Introduction+to+User+model+authentication

Same with if you do it in the code, you need to have the authorization token for the user to submit the request.
https://docs.strongloop.com/display/public/LB/Logging+in+users

The title of your issue is different from what you're asking in the description. Are you saying that the password value is not being stored as hash or are you having issues updating the user password?

I'm seeing this same issue as well. The POST method hashes the password field and saves the entry correctly. The PUT method calls the UserModel.setter.password method on the User which hashes the password but the database entry is stored in plain text. This obviously breaks the users ability to log into the system.

Loopback version 2.26.2

[LoicMahieu]

@0candy Sorry if it wasn't clear. I describe a "login" procedure to illustrate the problem. I am aware about token mechanism of loopback.

To simplify:

• Update the user with new password: PUT /Users/1 { "password": "bar" }
• Look at the DB, the password is stored in clear.

[jonicas]

+1

[0candy]

@LoicMahieu Thank you for pointing out the issue. We will take a look.

[arealmaas]

+1

Which version was this introduced?

[glesage]

Maybe something in this commit: loopbackio/loopback-datasource-juggler@8ca67c3 ?