Change Add User API
-
When using the "Add User" API there are 4 main fields: Email, Username, Display Name & Password
I am suggesting that the Password field be removed
My use case: After further testing with the Public Registration App I published there appears to be a method to exploit the API endpoint.
I originally removed the Password field from my form as I want to require the users to verify their user and create their password within the Invite Email...This can be circumvented by making the request with an API tool like postman and including the full payload schema with a password allowing people to create users without verifying & even worse with non existing emails...
As this is meant to be a public registration API I cannot exactly restrict it any further...at least that I am aware of
So either removing the password field from the Add User API or possibly adding the "Active" field and making some check to not allow the user to login until the account is verified
Any thoughts or suggestions are greatly appreciated!
NOTE: Just noticed that the users I create when using and when bypassing the Form are "Active" upon creation despite not verifying via the email
-
-
@plusone-nick said in Change Add User API:
I am suggesting that the Password field be removed
Not sure I follow. The password field is already optional, you can just not specify it when creating a user. Is that what you want? Don't set the password field to null or an empty string, that will result in an error.
-
@plusone-nick said in Change Add User API:
NOTE: Just noticed that the users I create when using and when bypassing the Form are "Active" upon creation despite not verifying via the email
Users are added enabled, by default.
I do wonder... when a user registers in your app, they should not be added into Cloudron immediately yet. Instead, the app should wait for email verification and when the email gets verified, only then it should get added into Cloudron. Is that how your app flow works?
-
@girish yes it is optional and I removed it from my form but anyone can submit without the form and include the password then immediately log into Cloudron.
There is no error when submitting null or empty string.I'm suggesting if it were removed from the API then it would require users to verify with the link as they cant just log in after submitting
-
@girish when a user submits the form:
- app make API call to Cloudron to create the user without the password field included
- when successful it takes the output user ID and sets a dynamic url for the email invite
- & then it sends the invite
- user gets a success message telling them to check their email to set the password and when they do that it loads into the Cloudron instance
to your point I could add an action right after the user is created when I get the ID to update the user to not active...forcing them to follow the email flow
Do you think that would work?EDIT: Although, thinking about it...it would still not stop someone from manipulating the API with a third party tool
-
@girish if you want make a user on https://join.plusonenetwork.xyz/ and I will make you an admin and provide steps for you to reproduce
Also here is my API: https://git.plusone.network/nick/cloudron-registration-community/-/blob/master/dmxConnect/api/new_user_flow.php
-
@plusone-nick I registered now as
test@cloudron.io. I am still not sure what the problem is
I got an invite email. After clicking it, I was able to set a password and sign into your Cloudron. What's missing? -
@plusone-nick said in Change Add User API:
I originally removed the Password field from my form as I want to require the users to verify their user and create their password within the Invite Email...This can be circumvented by making the request with an API tool like postman and including the full payload schema with a password allowing people to create users without verifying & even worse with non existing emails...
Holdup.
You mean people can inspect your web-page and get a token to run api calls?
This has way more security implications.EDIT:
Ok that is not the case
I just checked your page. -
I think there is just some misunderstanding. The REST API supports specifying a password during user creation. Users are always active as such after creation and since the password is specified it will allow the user to login immediately. This is intentional. Now our current dashboard UI code does not allow to specify a password, but that is just a user interface decision we made.
-
@nebulon I understand that it is working as designed. Iβm implying that the current design does not account for this use case. As there is no pub reg feature in Cloudron we were advised to use the add user api to make our own reg app and thatβs where the issue arose.
Iβve obfuscated my Cloudron api key on the server side to enable pub reg but as discovered the new API that is leveraging Clourdons Add user API can be exploited in this use case
-
@plusone-nick Hey Plusone, sorry if I'm just jumping in, have you thought about setting the password to a random value server side and then sending them a change password link? Not sure if that would help much at all though.
Hope you are having an awesome day.
-
@michaelpope no worries at all and thanks for chiming in. That is doable, similar to making the new user not active upon creation when my form calls the api, coupled with setting a random passwordβ¦.
sounds like it would workI will have to test how this workflow would impact the send invite email as the last step
-
For some reason I am still not seeing the issue you are facing and which issue arose from using the rest api. Instead of creating a random password, you may just not provide a password at all? You can see at https://docs.cloudron.io/api.html#tag/Users/paths/~1users/post that only the email is strictly required.
-
@nebulon not a problem, we will get to the bottom of this eventually
I have already removed the password field from the form and API call...the issue is that the add user API will still accept the full schema without using my form (via an API tool like postman not on my form) Thus someone can simply obtain my API endpoint then inject a password with the rest of the body and then just log in...
I have implemented and am testing the "de-activate" and "random password" workaround's but to be honest this is not an ideal solution
-
@plusone-nick
Just to understand better, you want to use have a public form that comunicare to Cloudron api directly? -
@MooCloud_Matt yes, my form/API call Cloudron Add User API
-
@plusone-nick
I would not do that, with that key saved in your front end code, anybody can access your server with not need of a password.
And see all your data, stealing what you have save in it.You need to build a server route, that get the information from the from and create your user in Cloudron.
Matteo. R.
Founder and Tech-Support Manager.
MooCloud MSP
Swiss Managed Service Provider -
@MooCloud_Matt that makes sense now, I didn't expect that the access token was part of the frontend assets!
