Password Limitations?

More
5 years 4 months ago #258 by paul_mcdonald
Password Limitations? was created by paul_mcdonald
I have an app that requires a user to login to the app. They type their username/password (from joomla) into the app. That get's passed to the website (using cAPI). It seems that those that utilize special characters cannot validate.

Has anyone experienced issues with the use of special characters when passing in passwords to validate user?

Please Log in or Create an account to join the conversation.

More
5 years 4 months ago #259 by steve.tsiopanos
Replied by steve.tsiopanos on topic Password Limitations?
Hi Paul,

This issue has been brought up previously, though it is not really a bug, it's an inherent issue of using a URL string to pass the username and password. While cAPI does provide that capability, it is limited by the fact that URLs will break at certain special characters.

What you want to do is use the BASIC_AUTH capabilities or token based authentication. With BASIC_AUTH, credentials are guaranteed to be pass through the API server correctly.

learn.getcapi.org/intermediate/basic-authentication

After some consideration, the following API method should probably be deprecated:

learn.getcapi.org/api-methods/joomla-api-routes/user/get-user-login-username-password

yourdomain.com/api/v1/login/:username/:password

That's because the moment you include a special character in your password, the URL request will break at that character. A long term solution would be tor require that the password be BASE64 encoded prior to passing it into the URL request.

Note: This is not "security" as BASE64 is not encryption, but rather reversible encoding. It's main purpose in this case would be to allow passwords strings to be passed through via a URL request in such a way that the can be decoded on the receiving end without being adulterated.

Although this is the community support forum, I felt it important to respond to this question because I am sure others have experience this issue as well. My recommendation, to avoid issues with special characters, is to use the BASIC_AUTH method or token authentication (or require your users to create passwords with no spaces, no special characters... not ideal).

Please Log in or Create an account to join the conversation.

More
3 years 5 months ago #302 by berti01
Replied by berti01 on topic Password Limitations?
Please keep in mind that deprecating the endpoints is not appreciated in cases where you want to actually use the session and session id.

Furthermore, the proper way would be to make it use POST form params or a JSON body instead of GET/URL parameter.
The following user(s) said Thank You: steve.tsiopanos

Please Log in or Create an account to join the conversation.

Cron Job Starts