fix: remove username in $validFields by default
#498
Conversation
The default configration does not validate username.
There was a problem hiding this comment.
@kenjis I already saw someone looking for a method to support both username and email for login.
By default, Shield accepts only one field for login.
But my idea was that with changes in the front end, for example, with the help of Vue.js, the user can identify the input whether it is an email or a username.
Of course, this requires changes in the default validations rules (required_without / required_with and permit_empty.
I have not done this in practice.
Now my question is, did I think right or not?
If it is true, doesn't this PR create a limitation?
You think right. If you configure correctly, you can send either email or username as a login id.
No, this PR just changes the default configuration. |
There was a problem hiding this comment.
Thanks!
I did not see any problem in the registration process.
And login with username is Ok.
(Of course, it should be as follows)
public array $validFields = [
'email',
'username',
];Data of Table "auth_logins":
+----+------------+--------------------+----------+------------+---------+--------------------+---------+
| id | ip_address | user_agent | id_type | identifier | user_id | date | success |
+----+------------+--------------------+----------+------------+---------+--------------------+---------+
| 26 | ::1 | Mozilla/5.0 (Wi... | username | Pooya | 3 | 2022-11-01 17:1... | 1 |
+----+------------+--------------------+----------+------------+---------+--------------------+---------+
The default configuration does not support
usernameas login id.There is no form input for
username, and no validation rules for it.But Shield accepts
usernamein the login form (attackers can send any field),and sends it to the database without validation.
This is not an exploitable vulnerability, but it is undesirable. Unvalidated user input should not be sent to the database.