I have created a custom ActionTokenHandler for reporting fraud user registration.
Create an action token link.
The user's
first-time clicks on the link then the handler is getting called and
disables the user - a correct requirement
However, when the user clicks again on the same link it does not call my custom
action token handler and returns Invalid Username and Password
as an error
so my question is are there any way to call the handler even if user is disabled or can we intercept the request before it going to the handler?
[Sorry I can not share my code since it is confendential]
.
Related
I'm using Spring Security OAuth2 Login to authenticated users with Facebook account. Everything works well. However, I have an issue, when a user logs in successfully and clicks back button and opens Facebook authorization URI for a second time (https://www.facebook.com/v2.8/dialog/oauth). It again redirects to callback URL /login/oauth2/code/facebook with a new code, but this time authentication fails. Oauth2 Login failure handler gets called and redirects to default failure URL. Here is the exception
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [authorization_request_not_found]
Therefore the issue is that the second authentication was not initiated by security oauth2 code and it doesn't expect this second callback. Any idea how this can be solved? Is it possible to ignore this second callback? Ideally the second authentication should also be successful.
My solution to this problem was to open the authorization URL (/oauth2/authorization/facebook) in a pop-up window with JavaScript. The pop-up window would respond to the parent window with JavaScript postMessage.
I have followed this turotial for implementing Spring JWT authorization. On top of this, the application is sending activation emails during registration. After clicking on the attached URL, the user is marked as activated (column registration_confirmed is marked as true in the database).
When user wants to login, request is sent to /oauth/token service with these params: grant_type=password, username=user, password=pwd
How can I check if user is activated before generating access token as a respose?
So far i wasn't able to find a way to do this.
I was wondering : is it possible to intercept the event that checks authorization when attempting to edit a document (eg that returns error Authorization error: Unauthorized access to URL: )
and add my own checks (eg based on specific document ids, external user groupings etc)?
In ContentService.Save() there's an option to include a user ID. I assume the saving is then done in the context of that user and that users permissions.
Also, you can hook into ContentService.Saving event and do whatever checks you want (and cancel the save if your checks "fail").
https://our.umbraco.org/documentation/reference/events/contentservice-events
Using the new outlook rest api's to import contacts from outlook/hotmail email accounts. There is a minor glitch though, once the user clicks the import contacts button and the initial MS auth dialog pops up (url - login.microsoftonline.com), as soon as the user finishes entering their email address, the page suddenly redirects to login.live.com.
This is bad because:
this happens without any warning (user could be in middle of entering their password for example)
what's the point of using the new api's if the auth is still being handled by the old live connect api endpoint.
Would like to know if there is anyway to prevent this redirect from happening?
Maybe I am missing some param which needs to passed in to the initial auth url?
I have a spring controller method which could be called in different scenarios. here is the example...
#RequestMapping("/resetpassword")
public ModelAndView resetpassword( #Valid #ModelAttribute("resetpasswordForm") ResetPawdFormForm resetPawdFormForm, ModelAndView modelAndView){
... this method could be executed in 3 different scenarios....
using the hyper link coming from the user reset password link sent to user email..
eg: localhost/myApp/login/resetpassword//
Here I can authenticate userID and activationSecretCode in DB and let user reset password
user can click on resetpassword link from user settings page.
eg: Since the user is already coming from user settings page, I can validate userSession and allow him to reset password
User can login for first time successfully, but are forced to reset password due to admin requirements for reset initial default password.
eg: in this user neither have session, nor passing any activationcode to validate.
login method validates userid/default password and redirects to resetpassword mapping(method=GET).
How can the system authenticate the user request and allow him to reset password?
One alternative for this is, to use flash attributes and set a authenticationKey as flash attributes...which could be verified in resetpassword method.
is there other way to implement this....
Note: I posted an issue in implementing this approach in
Post: Spring: How to pass Java objects during redirect while using ModelAttribute
Any help?
I think the best way to implement this is using three different action methods:
resetPassword (e-mails)
resetLoggedUserPassword (via settings)
changeDefaultPassword
They may even share the same view, but the behaviors are not equal, so I would avoid overloading the action responsibility.
EDIT: elaborating on your comment:
1) To secure the e-mail link, one way is to add a authentication token. The token can be as weak as a hashed user id plus some salt string, or as strong as a GUID with expiration time in a database table, generated whenever a user requests a password reset.
2) The settings way is not a problem, considering that the user is already logged in.
3) The temporary password action can be secured the same way as 1, or the same way as 2, if you put the user on the session. Logging in the user even with the default password status shouldn't be a concern if the code that verify the status of the account are inside a request filter.