Serious issues with auth?
I'm not seeing any email uniquesness checks, even on verified email, both locally and test deployment. I can attack any user and change their (required) username and password, the username is simply updated in the DB. All I have to do is know the email.
I'm not seeing any discussion about this. I haven't strayed far at all from wasp's auth setup, only requiring username string for display purposes instead of it just copying from the email string.
2 Replies
Hi @Supportneeded. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Based on the information in the knowledge sources, here’s what can be said about your concerns:
Email Uniqueness Checks
Wasp enforces email uniqueness at the application level, especially for the email authentication method. The documentation states that emails are stored in a case-insensitive manner and must be unique. During signup, if someone tries to register with an email that already exists and is verified, Wasp pretends the account was created to prevent leaking the existence of the email, but does not allow duplicate verified emails. For unverified emails, registration is allowed to prevent bad actors from locking out users, but this does not mean verified emails can be duplicated — the system is designed to prevent that scenario Docs: Email Signup.
Username Uniqueness
For the username & password auth method, usernames are also stored in a case-insensitive manner and must be unique. There was a discussion about enforcing unique usernames at the Prisma schema level, but it was previously only enforced at the JS level. However, the current recommendation is to use email authentication for serious deployments, as username-based auth is considered less secure and does not support password reset Github Issue: Emphasize email auth.
Changing Username/Password with Only Email
If you are able to change another user's username and password just by knowing their email, this is a serious security issue. The default Wasp auth flow should not allow this: actions that update user data (like password or username) should require authentication (i.e., the user must be logged in and authorized). If you have customized the auth flow or user update actions, you must ensure that proper authentication and authorization checks are in place. For example, in the realworld example, the update user action checks if the user is authenticated before allowing updates:
Github Issue: Updating password bug
Summary
- Email uniqueness is enforced for verified emails.
- Username uniqueness should be enforced, but if you are using it only for display, ensure it is not used for authentication.
- You should not be able to change another user's credentials just by knowing their email; this suggests a missing authentication/authorization check in your custom logic.
- Wasp recommends using email authentication for production apps due to better security and password reset support.
If you are experiencing these issues with the default Wasp setup and have not customized the auth logic, it may be a bug or misconfiguration. If you have customized the update actions, review your code to ensure proper checks are in place.
If you need more specific help, please provide the relevant code snippets for your update actions or user entity configuration.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @Supportneeded, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?
OpenSaaS's own demo site fails to send verification email to log in and test this, so I'm not overly confident this is wholly on me. Anyone else having issues with hollistic auth testing?