【问题标题】:Password reset not checking for existing users密码重置不检查现有用户
【发布时间】:2019-03-22 07:56:59
【问题描述】:

在我的密码重置功能中,用户可以输入他/她想要的任何内容。它甚至不需要是电子邮件地址。

我想检查一个有效的电子邮件地址,并且该电子邮件已在 Parse Server 中注册

@IBAction func forgotPasswordButtonTapped(_ sender: Any) {

let forgotPasswordAlert = UIAlertController(title: "Forgot password?", message: "Please enter your email address", preferredStyle: .alert)
forgotPasswordAlert.view.tintColor = UIColor.red
forgotPasswordAlert.addTextField { (textField) in
    textField.placeholder = "Email address"
}
forgotPasswordAlert.addAction(UIAlertAction(title: "Cancel", style: .cancel, handler: nil))
forgotPasswordAlert.addAction(UIAlertAction(title: "Reset password", style: .default, handler: { (action) in
    let resetEmail = forgotPasswordAlert.textFields?.first?.text
    PFUser.requestPasswordResetForEmail(inBackground: resetEmail!, block: { (success, error) in
        if error != nil {
            let resetFailedAlert = UIAlertController(title: "Error", message: error?.localizedDescription, preferredStyle: .alert)
            resetFailedAlert.view.tintColor = UIColor.red
            resetFailedAlert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
            self.present(resetFailedAlert, animated: true, completion: nil)
        } else {
            let resetEmailSentAlert = UIAlertController(title: "Password reset instructions sendt", message: "Please check your email", preferredStyle: .alert)
            resetEmailSentAlert.view.tintColor = UIColor.red
            resetEmailSentAlert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
            self.present(resetEmailSentAlert, animated: true, completion: nil)
        }
    })

}))
//PRESENT ALERT
self.present(forgotPasswordAlert, animated: true, completion: nil)

}

【问题讨论】:

    标签: swift parse-platform


    【解决方案1】:

    在您的操作中,您可以检查电子邮件的有效性:-

    forgotPasswordAlert.addAction(UIAlertAction(title: "Reset password", style: .default, handler: { (action) in
        let resetEmail = forgotPasswordAlert.textFields?.first?.text
    if self.isValidEmail(testStr: resetEmail) {
    // Check of email registered on server should be done via this API and API should return error based on that.
        PFUser.requestPasswordResetForEmail(inBackground: resetEmail!, block: { (success, error) in
            if error != nil {
                let resetFailedAlert = UIAlertController(title: "Error", message: error?.localizedDescription, preferredStyle: .alert)
                resetFailedAlert.view.tintColor = UIColor.red
                resetFailedAlert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
                self.present(resetFailedAlert, animated: true, completion: nil)
            } else {
                let resetEmailSentAlert = UIAlertController(title: "Password reset instructions sendt", message: "Please check your email", preferredStyle: .alert)
                resetEmailSentAlert.view.tintColor = UIColor.red
                resetEmailSentAlert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
                self.present(resetEmailSentAlert, animated: true, completion: nil)
            }
        })
    } else {
    //Show error that email entered is not correct format
    // present the reset email alertbox again.
    }
    
    }))
    
    func isValidEmail(testStr:String) -> Bool {        
        let emailRegEx = "[A-Z0-9a-z._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,64}"
    
        let emailTest = NSPredicate(format:"SELF MATCHES %@", emailRegEx)
        return emailTest.evaluate(with: testStr)
    }
    

    【讨论】:

    • 接受了这个,但它仍然不检查电子邮件是否在数据库中注册
    • 如其他答案中所述,提供电子邮件已注册或未创建安全问题(通过默默无闻的安全性)。最好只向用户显示一条通用消息:- You will receive an email to reset the password if your email exists (or you are registered)
    【解决方案2】:

    有一个解析电子邮件适配器来验证电子邮件。

    Verifying user email addresses and enabling password reset via email requires an email adapter. As part of the parse-server package we provide an adapter for sending email through Mailgun. To use it, sign up for Mailgun, and add this to your initialization code:

    https://github.com/parse-community/parse-server

    【讨论】:

    • 我已安装并运行 Mailgun。我在上面的问题中使用它来重置密码,并在注册时验证电子邮件地址。但是在输入邮箱地址进行密码重置时,它不检查注册的邮箱地址。
    【解决方案3】:

    关于 Parse Server 未通知客户端提供的电子邮件地址的用户不存在:

    在 Parse Server 的 3.1.0 之前,如果找不到电子邮件地址,重置密码的请求会返回错误,但这是一个安全风险,因为它允许攻击者获取用户数据以用于暴力攻击 - 请参阅这个explanation

    您还可以查看changelogPR that implemented this change

    仍然可以通过在发出密码重置请求之前查询User 类来自己实现这一点。但是,这不应该在客户端代码中完成,因为它要求用户数据可以公开访问,这是对隐私的重大侵犯。它也可以使用主密钥在云代码中实现,这样用户数据就不会被公众访问,但这会带来与上述相同的安全风险。

    【讨论】:

      猜你喜欢
      • 2013-05-18
      • 2016-12-13
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2017-11-29
      • 2013-02-06
      • 1970-01-01
      • 2015-08-04
      相关资源
      最近更新 更多