Community Tip - Did you get called away in the middle of writing a post? Don't worry you can find your unfinished post later in the Drafts section of your profile page. X
How to validate the data like Username , Password?
You would need to have users set that through a Mashup so you can use a service to verify it before applying it.
Can you please give more details ? Would the service "Resources["EncryptionServices"].EncryptPropertyValue(params);" be useful to compare password ? (How to set an attribute with type PASSWORD ?).
I have some use-cases which would need to validate manually username and password, instead of using the FormLogin page. One of the use-cases is one common login for an organization, then users will only chose his name from a users list and validate to continue.
Here's how I do it.
I have a admin user with an app key ("appkeyap-pkey-appk-eyap-pkeyappkeyap"). Then, I have a service which takes a username and an unencrypted password, and returns a boolean. This service retrieves the user record via REST API, encrypts the incoming password, and compares it to the stored password.
var result = false;
var appKey = "appkeyap-pkey-appk-eyap-pkeyappkeyap";
if(username && Users[username]) try
{
var exportUrl = "http://127.0.0.1:8080/Thingworx/Users/"+username+"?appKey="+appKey+"&Accept=application/json";
var user = Resources.ContentLoaderFunctions.LoadJSON({ url : exportUrl });
var correct = user.password;
result = encryptString(password||"") === correct;
} catch (_) {/* don't care */}
This code was written a long time ago, and at the time, the password hash was only available on the exported User record (via REST API); you might need to adjust settings for the REST API to use this.
Hey Chad, pretty cool.
However this has major security implications, it basically puts all user names and passwords at risk to anyone that might lift the appkey from your URL/REST POST
Well, if we could validate credentials without logging in or having to export the whole user, then we'd do that. At least the implementation is local-to-local, so it doesn't leave the local network; and since it's loopback, it might not even leave the machine.
However, it would certainly be a bad idea to do this over the internet.
Pai said "You would need to have users set that through a Mashup so you can use a service to verify it before applying it."
Does anyone know which service he talked about ?
Run a Regular Expression check (RegEx) and then you can use AssignNewPassword which can only be used by Admin and Security Admin