Comments (2)
Deroswent
commented on September 12, 2024
Another bug with the same auth/customer/emailpass route:
If in a request to auth/customer/emailpass send correct authorization credentials for the administrator, not the consumer - the request will return a JWT token, even though this route is for consumers, not administrators.
The route /auth/user/emailpass is used for authorization of administrators.
Moreover, using this JWT (which you got from auth/customer/emailpass but using admin credentials) - you can successfully create a session by sending a request to /auth/session. But with empty app_metatada value in DB (table auth_identity).
Expected behavior: When sending a request with admin credentials to auth/customer/emailpass - get 401 Unauthorized in response.
from medusa.
sradevski
commented on September 12, 2024
Hey all, we currently have a bit unexpected behavior, where if an auth identity doesn't exist we try to create it, even if you go through the login page. We will be cleaning the UX around this very soon.
One thing to note, an auth identity (eg. identified through your email) can be both an admin and a customer, which is why you are allowed to call both /customer/ and /user/ routes.
Also, if an auth identity doesn't have any app metadata, it means it is not acting neither as user, nor as a customer, so you can't really perform any authenticated actions. This won't result in unauthorized access, even though it might seem like it at first sight.
from medusa.
Related Issues (20)
- Stripe check out - payment session initiate failure HOT 2
- I can't deploy the medusa v2 to Railway even followed all the steps from their V2 Docs HOT 2
- '"medusa-react"' has no exported member named 'useAdminCreateStockLocation' HOT 2
- Medusa Learning Resources: Issue in Medusa Learning Resources HOT 1
- When will Paypal payment method be supported? HOT 1
- cannot configure db during backend creation HOT 2
- JWT Tokens not passed securely to frontend
- Digital Ocean backend deployment failed with "Failed to establish a connection to PostgreSQL" HOT 2
- Medusa Service factory returns incorrect type for models that end with 's' letter HOT 1
- Medusa Learning Resources: Issue in Relations between Payment Module and Other Modules HOT 1
- Add Product to cart with managed inventory and allow backorders
- Admin Widgets and UI Routes are not displaying HOT 5
- Bug: Amount sent to stripe vs displayed in summary page HOT 1
- Shipping Option Price Mismatch Bug in updateShippingOptionsWorkflow HOT 1
- [UI] DropdownMenu content not scrollable
- Authenticated sessions shared between separate instances of JS client
- admin not showing routes and widgets
- Medusa v2 Docs: Issue in 4.2.2. Service Factory - Medusa v2 Docs HOT 1
- npm install package version not found HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from medusa.