密码重置不检查现有用户
Password reset not checking for existing users
在我的密码重置功能中,用户可以输入 he/she 想要的任何内容。它甚至不需要是电子邮件地址。
我想检查一个有效的电子邮件地址,并且该电子邮件已在 Parse Server 中注册
@IBAction func forgotPasswordButtonTapped(_ sender: Any) {
let forgotPasswordAlert = UIAlertController(title: "Forgot password?", message: "Please enter your email address", preferredStyle: .alert)
forgotPasswordAlert.view.tintColor = UIColor.red
forgotPasswordAlert.addTextField { (textField) in
textField.placeholder = "Email address"
}
forgotPasswordAlert.addAction(UIAlertAction(title: "Cancel", style: .cancel, handler: nil))
forgotPasswordAlert.addAction(UIAlertAction(title: "Reset password", style: .default, handler: { (action) in
let resetEmail = forgotPasswordAlert.textFields?.first?.text
PFUser.requestPasswordResetForEmail(inBackground: resetEmail!, block: { (success, error) in
if error != nil {
let resetFailedAlert = UIAlertController(title: "Error", message: error?.localizedDescription, preferredStyle: .alert)
resetFailedAlert.view.tintColor = UIColor.red
resetFailedAlert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
self.present(resetFailedAlert, animated: true, completion: nil)
} else {
let resetEmailSentAlert = UIAlertController(title: "Password reset instructions sendt", message: "Please check your email", preferredStyle: .alert)
resetEmailSentAlert.view.tintColor = UIColor.red
resetEmailSentAlert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
self.present(resetEmailSentAlert, animated: true, completion: nil)
}
})
}))
//PRESENT ALERT
self.present(forgotPasswordAlert, animated: true, completion: nil)
}
在您的操作中,您可以检查电子邮件的有效性:-
forgotPasswordAlert.addAction(UIAlertAction(title: "Reset password", style: .default, handler: { (action) in
let resetEmail = forgotPasswordAlert.textFields?.first?.text
if self.isValidEmail(testStr: resetEmail) {
// Check of email registered on server should be done via this API and API should return error based on that.
PFUser.requestPasswordResetForEmail(inBackground: resetEmail!, block: { (success, error) in
if error != nil {
let resetFailedAlert = UIAlertController(title: "Error", message: error?.localizedDescription, preferredStyle: .alert)
resetFailedAlert.view.tintColor = UIColor.red
resetFailedAlert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
self.present(resetFailedAlert, animated: true, completion: nil)
} else {
let resetEmailSentAlert = UIAlertController(title: "Password reset instructions sendt", message: "Please check your email", preferredStyle: .alert)
resetEmailSentAlert.view.tintColor = UIColor.red
resetEmailSentAlert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
self.present(resetEmailSentAlert, animated: true, completion: nil)
}
})
} else {
//Show error that email entered is not correct format
// present the reset email alertbox again.
}
}))
func isValidEmail(testStr:String) -> Bool {
let emailRegEx = "[A-Z0-9a-z._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,64}"
let emailTest = NSPredicate(format:"SELF MATCHES %@", emailRegEx)
return emailTest.evaluate(with: testStr)
}
有一个解析电子邮件适配器来验证电子邮件。
Verifying user email addresses and enabling password reset via email requires an email adapter. As part of the parse-server package we provide an adapter for sending email through Mailgun. To use it, sign up for Mailgun, and add this to your initialization code:
关于 Parse Server 未通知客户端具有所提供电子邮件地址的用户不存在:
Parse Server 的 3.1.0 版之前,如果未找到电子邮件地址,重置密码的请求会返回错误,但这是一个安全风险,因为它允许攻击者获取用户数据以用于暴力攻击- 看到这个 explanation.
你也可以看看changelog and the PR that implemented this change。
在发出密码重置请求之前,仍然可以通过查询 User class 自行实现。但是,这不应该在客户端代码中完成,因为它要求用户数据可以 public 访问,这是对隐私的重大侵犯。它也可以使用主密钥在云代码中实现,这样 public 就无法访问用户数据,但这会带来上述相同的安全风险。
在我的密码重置功能中,用户可以输入 he/she 想要的任何内容。它甚至不需要是电子邮件地址。
我想检查一个有效的电子邮件地址,并且该电子邮件已在 Parse Server 中注册
@IBAction func forgotPasswordButtonTapped(_ sender: Any) {
let forgotPasswordAlert = UIAlertController(title: "Forgot password?", message: "Please enter your email address", preferredStyle: .alert)
forgotPasswordAlert.view.tintColor = UIColor.red
forgotPasswordAlert.addTextField { (textField) in
textField.placeholder = "Email address"
}
forgotPasswordAlert.addAction(UIAlertAction(title: "Cancel", style: .cancel, handler: nil))
forgotPasswordAlert.addAction(UIAlertAction(title: "Reset password", style: .default, handler: { (action) in
let resetEmail = forgotPasswordAlert.textFields?.first?.text
PFUser.requestPasswordResetForEmail(inBackground: resetEmail!, block: { (success, error) in
if error != nil {
let resetFailedAlert = UIAlertController(title: "Error", message: error?.localizedDescription, preferredStyle: .alert)
resetFailedAlert.view.tintColor = UIColor.red
resetFailedAlert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
self.present(resetFailedAlert, animated: true, completion: nil)
} else {
let resetEmailSentAlert = UIAlertController(title: "Password reset instructions sendt", message: "Please check your email", preferredStyle: .alert)
resetEmailSentAlert.view.tintColor = UIColor.red
resetEmailSentAlert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
self.present(resetEmailSentAlert, animated: true, completion: nil)
}
})
}))
//PRESENT ALERT
self.present(forgotPasswordAlert, animated: true, completion: nil)
}
在您的操作中,您可以检查电子邮件的有效性:-
forgotPasswordAlert.addAction(UIAlertAction(title: "Reset password", style: .default, handler: { (action) in
let resetEmail = forgotPasswordAlert.textFields?.first?.text
if self.isValidEmail(testStr: resetEmail) {
// Check of email registered on server should be done via this API and API should return error based on that.
PFUser.requestPasswordResetForEmail(inBackground: resetEmail!, block: { (success, error) in
if error != nil {
let resetFailedAlert = UIAlertController(title: "Error", message: error?.localizedDescription, preferredStyle: .alert)
resetFailedAlert.view.tintColor = UIColor.red
resetFailedAlert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
self.present(resetFailedAlert, animated: true, completion: nil)
} else {
let resetEmailSentAlert = UIAlertController(title: "Password reset instructions sendt", message: "Please check your email", preferredStyle: .alert)
resetEmailSentAlert.view.tintColor = UIColor.red
resetEmailSentAlert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil))
self.present(resetEmailSentAlert, animated: true, completion: nil)
}
})
} else {
//Show error that email entered is not correct format
// present the reset email alertbox again.
}
}))
func isValidEmail(testStr:String) -> Bool {
let emailRegEx = "[A-Z0-9a-z._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,64}"
let emailTest = NSPredicate(format:"SELF MATCHES %@", emailRegEx)
return emailTest.evaluate(with: testStr)
}
有一个解析电子邮件适配器来验证电子邮件。
Verifying user email addresses and enabling password reset via email requires an email adapter. As part of the parse-server package we provide an adapter for sending email through Mailgun. To use it, sign up for Mailgun, and add this to your initialization code:
关于 Parse Server 未通知客户端具有所提供电子邮件地址的用户不存在:
Parse Server 的 3.1.0 版之前,如果未找到电子邮件地址,重置密码的请求会返回错误,但这是一个安全风险,因为它允许攻击者获取用户数据以用于暴力攻击- 看到这个 explanation.
你也可以看看changelog and the PR that implemented this change。
在发出密码重置请求之前,仍然可以通过查询 User class 自行实现。但是,这不应该在客户端代码中完成,因为它要求用户数据可以 public 访问,这是对隐私的重大侵犯。它也可以使用主密钥在云代码中实现,这样 public 就无法访问用户数据,但这会带来上述相同的安全风险。