VERY VERY IMPORTANT !!!
Options
Daniel Rjeili
Member ✭
I identified a situation that is very "interesting" and relevant(!) to be pointed and discussed: Email authentication is case sensitive and from a security perspective it is obviously very good, the users table the field email is unique and case sensitive too and again from a security standpoint it's obviously very good. Having said that I tested and verified that you can create a new user account with these emails as examples: daniel@google.com, another: Daniel@google.com, another: DanieL@google.com ....and so on... which in prism of registration of users and database consistency is possible to generate a HUGE PROBLEM 💣; Imagine one user that didn't notice and typed an upper or lower case character (or forgot), he will try to login, a message will rise: non-existent account 🤔, and he can/will create another account💡 believing countless things that passes in his mind ... here the mess 💩 🤣 is done, database having two or more accounts from the same person with "same" email (only with characters cases variations) !!! From my humble point of view this is TERRIBLE! 😱 🤕 😪
Below I show what I did to avoid this, but I would like to suggest if it makes logical sense to have something native in Xano, or in the default CRUD API's that are created with a new instance already have this setup I made ( or similar ) by default and/or in the documentation to have one clear instruction in this regard.
Let's brain storm this:
and
So far what I did was:
1) Signup process when I add new user, I used filter "to_lower" to email input value.
[image.png]
2) Login process at get user record Find users record by field email, I also added "to_lower" filter to email input value.
[image.png]
Below I show what I did to avoid this, but I would like to suggest if it makes logical sense to have something native in Xano, or in the default CRUD API's that are created with a new instance already have this setup I made ( or similar ) by default and/or in the documentation to have one clear instruction in this regard.
Let's brain storm this:
and
So far what I did was:
1) Signup process when I add new user, I used filter "to_lower" to email input value.
[image.png]
2) Login process at get user record Find users record by field email, I also added "to_lower" filter to email input value.
[image.png]
Comments
-
Hi ,
You can use a filter on the input arguments for the api endpoint.
We may add support for case-insensitive text schema, but it isn't on the horizon just yet. For the time being if this is important, you can update your input field and force it to be lower case.
[Image] -
nice!, your suggestion is more simple ... to be clear I don't see any rush for any upgrade on the platform (I don't think it's a Xano deficiency) it's "just" a "bad window" of opportunity for something that should be dealt with more in the logical part of the functions to avoid "surprises"!
-
Thank you for this! Super helpful.
-
The images from this are no longer here would someone be able to show another example of how to fix this?
Categories
- All Categories
- 53 ? Announcements
- 47 ? Releases
- 37 ? Welcome
- 983 ? Help! I'm a Noob
- 125 ? No-Code Front-Ends
- 633 ? Working with APIs
- 439 ? Transforming data
- 126 ? Connect Xano to ...
- 50 ?? Find an Expert
- 348 ❓Other questions
- 35 ? Security
- 22 ✂️ Snippets
- 19 ? Showcase
- 7 ?️ Xano Chatter
- 62 ? Video Tutorials
- 171 ? Request a feature
- 229 ? Report a Bug
- 19 ? Templates & Extensions
- 7 ? Feedback