Community Tip - Your Friends List is a way to easily have access to the community members that you interact with the most! X

How to validate the data like Username , Password?

ssingh-21
1-Visitor

How to validate the data like Username , Password?

How to validate the data like Username , Password?

7 REPLIES 7
PaiChung
22-Sapphire I
(To:ssingh-21)

You would need to have users set that through a Mashup so you can use a service to verify it before applying it.

qngo
12-Amethyst
(To:PaiChung)

Can you please give more details ? Would the service "Resources["EncryptionServices"].EncryptPropertyValue(params);" be useful to compare password ? (How to set an attribute with type PASSWORD ?​).


I have some use-cases which would need to validate manually username and password, instead of using the FormLogin page. One of the use-cases is one common login for an organization, then users will only chose his name from a users list and validate to continue.

ptc-6292103
12-Amethyst
(To:qngo)

Here's how I do it.

I have a admin user with an app key ("appkeyap-pkey-appk-eyap-pkeyappkeyap"). Then, I have a service which takes a username and an unencrypted password, and returns a boolean. This service retrieves the user record via REST API, encrypts the incoming password, and compares it to the stored password.

var result = false;

var appKey = "appkeyap-pkey-appk-eyap-pkeyappkeyap";

if(username && Users[username]) try

{

  var exportUrl = "http://127.0.0.1:8080/Thingworx/Users/"+username+"?appKey="+appKey+"&Accept=application/json";

  var user = Resources.ContentLoaderFunctions.LoadJSON({ url : exportUrl });

  var correct = user.password;

  result = encryptString(password||"") === correct;

} catch (_) {/* don't care */}

This code was written a long time ago, and at the time, the password hash was only available on the exported User record (via REST API); you might need to adjust settings for the REST API to use this.

PaiChung
22-Sapphire I
(To:ptc-6292103)

Hey Chad, pretty cool.

However this has major security implications, it basically puts all user names and passwords at risk to anyone that might lift the appkey from your URL/REST POST

Well, if we could validate credentials without logging in or having to export the whole user, then we'd do that. At least the implementation is local-to-local, so it doesn't leave the local network; and since it's loopback, it might not even leave the machine.

However, it would certainly be a bad idea to do this over the internet.

qngo
12-Amethyst
(To:ssingh-21)

Pai said "You would need to have users set that through a Mashup so you can use a service to verify it before applying it."

Does anyone know which service he talked about ?


PaiChung
22-Sapphire I
(To:qngo)

Run a Regular Expression check (RegEx) and then you can use AssignNewPassword which can only be used by Admin and Security Admin

Announcements


Top Tags