Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. Change Add User API

Change Add User API

Scheduled Pinned Locked Moved Feature Requests
api
24 Posts 6 Posters 2.6k Views 6 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      P Offline
      plusone-nick
      wrote on last edited by girish
      #1

      When using the "Add User" API there are 4 main fields: Email, Username, Display Name & Password

      I am suggesting that the Password field be removed

      My use case: After further testing with the Public Registration App I published there appears to be a method to exploit the API endpoint.

      I originally removed the Password field from my form as I want to require the users to verify their user and create their password within the Invite Email...This can be circumvented by making the request with an API tool like postman and including the full payload schema with a password allowing people to create users without verifying & even worse with non existing emails...

      As this is meant to be a public registration API I cannot exactly restrict it any further...at least that I am aware of

      So either removing the password field from the Add User API or possibly adding the "Active" field and making some check to not allow the user to login until the account is verified

      Any thoughts or suggestions are greatly appreciated!

      NOTE: Just noticed that the users I create when using and when bypassing the Form are "Active" upon creation despite not verifying via the email

      βœŒπŸ’™+1

      P girishG BrutalBirdieB 4 Replies Last reply
      1
      • P plusone-nick

        When using the "Add User" API there are 4 main fields: Email, Username, Display Name & Password

        I am suggesting that the Password field be removed

        My use case: After further testing with the Public Registration App I published there appears to be a method to exploit the API endpoint.

        I originally removed the Password field from my form as I want to require the users to verify their user and create their password within the Invite Email...This can be circumvented by making the request with an API tool like postman and including the full payload schema with a password allowing people to create users without verifying & even worse with non existing emails...

        As this is meant to be a public registration API I cannot exactly restrict it any further...at least that I am aware of

        So either removing the password field from the Add User API or possibly adding the "Active" field and making some check to not allow the user to login until the account is verified

        Any thoughts or suggestions are greatly appreciated!

        NOTE: Just noticed that the users I create when using and when bypassing the Form are "Active" upon creation despite not verifying via the email

        P Offline
        P Offline
        plusone-nick
        wrote on last edited by
        #2

        @girish @nebulon

        βœŒπŸ’™+1

        1 Reply Last reply
        0
        • P plusone-nick

          When using the "Add User" API there are 4 main fields: Email, Username, Display Name & Password

          I am suggesting that the Password field be removed

          My use case: After further testing with the Public Registration App I published there appears to be a method to exploit the API endpoint.

          I originally removed the Password field from my form as I want to require the users to verify their user and create their password within the Invite Email...This can be circumvented by making the request with an API tool like postman and including the full payload schema with a password allowing people to create users without verifying & even worse with non existing emails...

          As this is meant to be a public registration API I cannot exactly restrict it any further...at least that I am aware of

          So either removing the password field from the Add User API or possibly adding the "Active" field and making some check to not allow the user to login until the account is verified

          Any thoughts or suggestions are greatly appreciated!

          NOTE: Just noticed that the users I create when using and when bypassing the Form are "Active" upon creation despite not verifying via the email

          girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #3

          @plusone-nick said in Change Add User API:

          I am suggesting that the Password field be removed

          Not sure I follow. The password field is already optional, you can just not specify it when creating a user. Is that what you want? Don't set the password field to null or an empty string, that will result in an error.

          P 1 Reply Last reply
          1
          • P plusone-nick

            When using the "Add User" API there are 4 main fields: Email, Username, Display Name & Password

            I am suggesting that the Password field be removed

            My use case: After further testing with the Public Registration App I published there appears to be a method to exploit the API endpoint.

            I originally removed the Password field from my form as I want to require the users to verify their user and create their password within the Invite Email...This can be circumvented by making the request with an API tool like postman and including the full payload schema with a password allowing people to create users without verifying & even worse with non existing emails...

            As this is meant to be a public registration API I cannot exactly restrict it any further...at least that I am aware of

            So either removing the password field from the Add User API or possibly adding the "Active" field and making some check to not allow the user to login until the account is verified

            Any thoughts or suggestions are greatly appreciated!

            NOTE: Just noticed that the users I create when using and when bypassing the Form are "Active" upon creation despite not verifying via the email

            girishG Offline
            girishG Offline
            girish
            Staff
            wrote on last edited by
            #4

            @plusone-nick said in Change Add User API:

            NOTE: Just noticed that the users I create when using and when bypassing the Form are "Active" upon creation despite not verifying via the email

            Users are added enabled, by default.

            I do wonder... when a user registers in your app, they should not be added into Cloudron immediately yet. Instead, the app should wait for email verification and when the email gets verified, only then it should get added into Cloudron. Is that how your app flow works?

            P 2 Replies Last reply
            1
            • girishG girish

              @plusone-nick said in Change Add User API:

              I am suggesting that the Password field be removed

              Not sure I follow. The password field is already optional, you can just not specify it when creating a user. Is that what you want? Don't set the password field to null or an empty string, that will result in an error.

              P Offline
              P Offline
              plusone-nick
              wrote on last edited by
              #5

              @girish yes it is optional and I removed it from my form but anyone can submit without the form and include the password then immediately log into Cloudron.
              There is no error when submitting null or empty string.

              I'm suggesting if it were removed from the API then it would require users to verify with the link as they cant just log in after submitting

              βœŒπŸ’™+1

              1 Reply Last reply
              0
              • girishG girish

                @plusone-nick said in Change Add User API:

                NOTE: Just noticed that the users I create when using and when bypassing the Form are "Active" upon creation despite not verifying via the email

                Users are added enabled, by default.

                I do wonder... when a user registers in your app, they should not be added into Cloudron immediately yet. Instead, the app should wait for email verification and when the email gets verified, only then it should get added into Cloudron. Is that how your app flow works?

                P Offline
                P Offline
                plusone-nick
                wrote on last edited by plusone-nick
                #6

                @girish when a user submits the form:

                • app make API call to Cloudron to create the user without the password field included
                • when successful it takes the output user ID and sets a dynamic url for the email invite
                • & then it sends the invite
                • user gets a success message telling them to check their email to set the password and when they do that it loads into the Cloudron instance

                to your point I could add an action right after the user is created when I get the ID to update the user to not active...forcing them to follow the email flow πŸ€” Do you think that would work?

                EDIT: Although, thinking about it...it would still not stop someone from manipulating the API with a third party tool

                βœŒπŸ’™+1

                1 Reply Last reply
                0
                • girishG girish

                  @plusone-nick said in Change Add User API:

                  NOTE: Just noticed that the users I create when using and when bypassing the Form are "Active" upon creation despite not verifying via the email

                  Users are added enabled, by default.

                  I do wonder... when a user registers in your app, they should not be added into Cloudron immediately yet. Instead, the app should wait for email verification and when the email gets verified, only then it should get added into Cloudron. Is that how your app flow works?

                  P Offline
                  P Offline
                  plusone-nick
                  wrote on last edited by
                  #7

                  @girish if you want make a user on https://join.plusonenetwork.xyz/ and I will make you an admin and provide steps for you to reproduce

                  Also here is my API: https://git.plusone.network/nick/cloudron-registration-community/-/blob/master/dmxConnect/api/new_user_flow.php

                  βœŒπŸ’™+1

                  girishG 1 Reply Last reply
                  1
                  • P plusone-nick

                    @girish if you want make a user on https://join.plusonenetwork.xyz/ and I will make you an admin and provide steps for you to reproduce

                    Also here is my API: https://git.plusone.network/nick/cloudron-registration-community/-/blob/master/dmxConnect/api/new_user_flow.php

                    girishG Offline
                    girishG Offline
                    girish
                    Staff
                    wrote on last edited by
                    #8

                    @plusone-nick I registered now as test@cloudron.io. I am still not sure what the problem is πŸ™‚ I got an invite email. After clicking it, I was able to set a password and sign into your Cloudron. What's missing?

                    P 1 Reply Last reply
                    1
                    • P plusone-nick

                      When using the "Add User" API there are 4 main fields: Email, Username, Display Name & Password

                      I am suggesting that the Password field be removed

                      My use case: After further testing with the Public Registration App I published there appears to be a method to exploit the API endpoint.

                      I originally removed the Password field from my form as I want to require the users to verify their user and create their password within the Invite Email...This can be circumvented by making the request with an API tool like postman and including the full payload schema with a password allowing people to create users without verifying & even worse with non existing emails...

                      As this is meant to be a public registration API I cannot exactly restrict it any further...at least that I am aware of

                      So either removing the password field from the Add User API or possibly adding the "Active" field and making some check to not allow the user to login until the account is verified

                      Any thoughts or suggestions are greatly appreciated!

                      NOTE: Just noticed that the users I create when using and when bypassing the Form are "Active" upon creation despite not verifying via the email

                      BrutalBirdieB Offline
                      BrutalBirdieB Offline
                      BrutalBirdie
                      Partner
                      wrote on last edited by BrutalBirdie
                      #9

                      @plusone-nick said in Change Add User API:

                      I originally removed the Password field from my form as I want to require the users to verify their user and create their password within the Invite Email...This can be circumvented by making the request with an API tool like postman and including the full payload schema with a password allowing people to create users without verifying & even worse with non existing emails...

                      Holdup.
                      You mean people can inspect your web-page and get a token to run api calls?
                      This has way more security implications.

                      EDIT:
                      Ok that is not the case πŸ˜„ I just checked your page.

                      Like my work? Consider donating a drink. Cheers!

                      1 Reply Last reply
                      1
                      • girishG girish

                        @plusone-nick I registered now as test@cloudron.io. I am still not sure what the problem is πŸ™‚ I got an invite email. After clicking it, I was able to set a password and sign into your Cloudron. What's missing?

                        P Offline
                        P Offline
                        plusone-nick
                        wrote on last edited by
                        #10

                        @girish just changed you to admin.
                        Run something like and you can immediately log in with the password without having to active through the email inv code
                        15ce9f84-91c0-4d6d-83a1-cb53f5168e1b-image.png

                        βœŒπŸ’™+1

                        1 Reply Last reply
                        0
                        • nebulonN Offline
                          nebulonN Offline
                          nebulon
                          Staff
                          wrote on last edited by
                          #11

                          I think there is just some misunderstanding. The REST API supports specifying a password during user creation. Users are always active as such after creation and since the password is specified it will allow the user to login immediately. This is intentional. Now our current dashboard UI code does not allow to specify a password, but that is just a user interface decision we made.

                          P 1 Reply Last reply
                          2
                          • nebulonN nebulon

                            I think there is just some misunderstanding. The REST API supports specifying a password during user creation. Users are always active as such after creation and since the password is specified it will allow the user to login immediately. This is intentional. Now our current dashboard UI code does not allow to specify a password, but that is just a user interface decision we made.

                            P Offline
                            P Offline
                            plusone-nick
                            wrote on last edited by
                            #12

                            @nebulon I understand that it is working as designed. I’m implying that the current design does not account for this use case. As there is no pub reg feature in Cloudron we were advised to use the add user api to make our own reg app and that’s where the issue arose.

                            I’ve obfuscated my Cloudron api key on the server side to enable pub reg but as discovered the new API that is leveraging Clourdons Add user API can be exploited in this use case

                            βœŒπŸ’™+1

                            M 1 Reply Last reply
                            0
                            • P plusone-nick

                              @nebulon I understand that it is working as designed. I’m implying that the current design does not account for this use case. As there is no pub reg feature in Cloudron we were advised to use the add user api to make our own reg app and that’s where the issue arose.

                              I’ve obfuscated my Cloudron api key on the server side to enable pub reg but as discovered the new API that is leveraging Clourdons Add user API can be exploited in this use case

                              M Offline
                              M Offline
                              michaelpope
                              wrote on last edited by
                              #13

                              @plusone-nick Hey Plusone, sorry if I'm just jumping in, have you thought about setting the password to a random value server side and then sending them a change password link? Not sure if that would help much at all though.

                              Hope you are having an awesome day.

                              P 1 Reply Last reply
                              1
                              • M michaelpope

                                @plusone-nick Hey Plusone, sorry if I'm just jumping in, have you thought about setting the password to a random value server side and then sending them a change password link? Not sure if that would help much at all though.

                                Hope you are having an awesome day.

                                P Offline
                                P Offline
                                plusone-nick
                                wrote on last edited by
                                #14

                                @michaelpope no worries at all and thanks for chiming in. That is doable, similar to making the new user not active upon creation when my form calls the api, coupled with setting a random password….πŸ€” sounds like it would work

                                I will have to test how this workflow would impact the send invite email as the last step

                                βœŒπŸ’™+1

                                1 Reply Last reply
                                1
                                • nebulonN Offline
                                  nebulonN Offline
                                  nebulon
                                  Staff
                                  wrote on last edited by
                                  #15

                                  For some reason I am still not seeing the issue you are facing and which issue arose from using the rest api. Instead of creating a random password, you may just not provide a password at all? You can see at https://docs.cloudron.io/api.html#tag/Users/paths/~1users/post that only the email is strictly required.

                                  P 1 Reply Last reply
                                  2
                                  • nebulonN nebulon

                                    For some reason I am still not seeing the issue you are facing and which issue arose from using the rest api. Instead of creating a random password, you may just not provide a password at all? You can see at https://docs.cloudron.io/api.html#tag/Users/paths/~1users/post that only the email is strictly required.

                                    P Offline
                                    P Offline
                                    plusone-nick
                                    wrote on last edited by plusone-nick
                                    #16

                                    @nebulon not a problem, we will get to the bottom of this eventually

                                    I have already removed the password field from the form and API call...the issue is that the add user API will still accept the full schema without using my form (via an API tool like postman not on my form) Thus someone can simply obtain my API endpoint then inject a password with the rest of the body and then just log in...

                                    I have implemented and am testing the "de-activate" and "random password" workaround's but to be honest this is not an ideal solution

                                    βœŒπŸ’™+1

                                    MooCloud_MattM 1 Reply Last reply
                                    0
                                    • P plusone-nick

                                      @nebulon not a problem, we will get to the bottom of this eventually

                                      I have already removed the password field from the form and API call...the issue is that the add user API will still accept the full schema without using my form (via an API tool like postman not on my form) Thus someone can simply obtain my API endpoint then inject a password with the rest of the body and then just log in...

                                      I have implemented and am testing the "de-activate" and "random password" workaround's but to be honest this is not an ideal solution

                                      MooCloud_MattM Offline
                                      MooCloud_MattM Offline
                                      MooCloud_Matt
                                      wrote on last edited by
                                      #17

                                      @plusone-nick
                                      Just to understand better, you want to use have a public form that comunicare to Cloudron api directly?

                                      Matteo. R.
                                      Founder and Tech-Support Manager.
                                      MooCloud MSP
                                      Swiss Managed Service Provider

                                      P 1 Reply Last reply
                                      0
                                      • MooCloud_MattM MooCloud_Matt

                                        @plusone-nick
                                        Just to understand better, you want to use have a public form that comunicare to Cloudron api directly?

                                        P Offline
                                        P Offline
                                        plusone-nick
                                        wrote on last edited by
                                        #18

                                        @MooCloud_Matt yes, my form/API call Cloudron Add User API

                                        βœŒπŸ’™+1

                                        MooCloud_MattM 1 Reply Last reply
                                        0
                                        • P plusone-nick

                                          @MooCloud_Matt yes, my form/API call Cloudron Add User API

                                          MooCloud_MattM Offline
                                          MooCloud_MattM Offline
                                          MooCloud_Matt
                                          wrote on last edited by MooCloud_Matt
                                          #19

                                          @plusone-nick
                                          I would not do that, with that key saved in your front end code, anybody can access your server with not need of a password.
                                          And see all your data, stealing what you have save in it.

                                          You need to build a server route, that get the information from the from and create your user in Cloudron.

                                          Matteo. R.
                                          Founder and Tech-Support Manager.
                                          MooCloud MSP
                                          Swiss Managed Service Provider

                                          nebulonN P 2 Replies Last reply
                                          0
                                          • MooCloud_MattM MooCloud_Matt

                                            @plusone-nick
                                            I would not do that, with that key saved in your front end code, anybody can access your server with not need of a password.
                                            And see all your data, stealing what you have save in it.

                                            You need to build a server route, that get the information from the from and create your user in Cloudron.

                                            nebulonN Offline
                                            nebulonN Offline
                                            nebulon
                                            Staff
                                            wrote on last edited by
                                            #20

                                            @MooCloud_Matt that makes sense now, I didn't expect that the access token was part of the frontend assets!

                                            P 1 Reply Last reply
                                            1
                                            Reply
                                            • Reply as topic
                                            Log in to reply
                                            • Oldest to Newest
                                            • Newest to Oldest
                                            • Most Votes


                                              • Login

                                              • Don't have an account? Register

                                              • Login or register to search.
                                              • First post
                                                Last post
                                              0
                                              • Categories
                                              • Recent
                                              • Tags
                                              • Popular
                                              • Bookmarks
                                              • Search