Generator-jhipster: REST API user management, regex on login too restrictive

Created on 5 Apr 2016 · 13Comments · Source: jhipster/generator-jhipster

Overview of the issue

If you want to edit the anonymousUser (default user) you have this error :
No message available

It's because the regex in the rest api is too restrictive on the login

@RequestMapping(value = "/users/{login:[_'.@a-z0-9-]+}",

Angular can't get the user information

JHipster version

Jhipster 3.0 version

Entity configuration(s) `entityName.json` files generated in the `.jhipster` directory

No entity

Browsers and Operating System

Chrome

Suggest a Fix

A correction would be in UserRessource.java file
@RequestMapping(value = "/users/{login:[_'.@a-zA-Z0-9-]+}",

But in the front, they must have a similar regex control

Or another solution is to remove the regex on the login in the REST API

Source

flam182

👍3

Most helpful comment

@wmarques I tested your branch with the development database set to mysql and it worked, but it doesn't work with h2disk. I looked into it and it's because H2's select statements are case-sensitive and we get the user from the database by lowercase login instead of the original (code link). I removed the .toLowerCase() and it works.

As a side note, all of the register form translations will need to be updated.

ruddell on 13 Apr 2016

👍3

All 13 comments

The regex for a User's login is also set in UserDTO

ruddell on 6 Apr 2016

What's the point of doing a regex for this ? Shouldn't we only do a regex to validate the username in the registration ?

wmarques on 6 Apr 2016

The regexp is because there is an issue with Spring MVC if you use a "." -> that's because if you call "user.json", Spring MVC by default will send you the user in JSON format. The issue is when your username is "julien.dubois"....
At the moment the regexp validates also that the username is in lowercase, but indeed this is isn't useful.
So this looks good to me, can you do a PR?

jdubois on 6 Apr 2016

I did this here but I've got a problem : when I try to login with a capslocked user, like USERTEST, it throws me a 401 error bad credentials but I'm sure that I'm using the right ones and i couldn't find where this come from...

wmarques on 8 Apr 2016

@jhipster/developers if someone has an idea I can work on it :)

wmarques on 12 Apr 2016

As a side note, all of the register form translations will need to be updated.

ruddell on 13 Apr 2016

👍3

@ruddell Thanks for finding this one, I'm fixing this :)

wmarques on 13 Apr 2016

So now it's fully working but I think it's strange to have case-sensitives logins.. Now we can have users with the same name, I don't think it's a common way of doing but maybe I'm wrong ?

wmarques on 13 Apr 2016

Adding a user repository method findOneByLoginIgnoreCase is one option that would work for every database type, I agree we shouldn't let multiple accounts have the same username with different casing.

Or add anonymousUser as an exception to every regex like in User.java (don't know if this would work).

ruddell on 15 Apr 2016

👍2

@wmarques I think we should be having case insensitive users only. Thats how its normally done. I should be able to login irrespective of the case i use in username and we shouldnt allow creation of two accounts with same name.

deepu105 on 15 Apr 2016

@ruddell @deepu105 So should we lowercase all logins before db registration ? (except anonymousUser)

wmarques on 19 Apr 2016

@wmarques that might be a good idea

deepu105 on 19 Apr 2016

I think it's better adding anonymousUser in regexp and have the same regexp everywhere.
And asking user to put a lowercased login (what we actually do) makes sense to me, instead of lowercasing the login ourselves.
So here I just updated the regexp, if it's ok I will PR this

wmarques on 19 Apr 2016

Was this page helpful?

0 / 5 - 0 ratings