manual validation code for login.

Forums for specific tips, techniques and example code
Jay
Posts: 25
Joined: Mon Jul 23, 2018 10:15 am

manual validation code for login.

Postby Jay » Tue Sep 18, 2018 10:43 pm

The code is written in the method of the form which is view model.
The error occurs while the iteration. It can go into while iteration but it doesn't read any user. I feel like the reason of errors is I 'm trying to get access to Dictionary which is located in the model view.
What did I do wrong?



Code: Select all

loginValidation(id:String io; password:String io):Boolean; vars user:User; iter:Iterator; userDict:UserByID; begin userDict:=UserByID.firstInstance(); iter:=userDict.createIterator(); id:=id.trimBlanks(); password:=password.trimBlanks(); while iter.next(user) do //write user.lastName; if (user.identification = id or user.email=id)and (user.password=password)then return true; else return false; endif; endwhile; end;

User avatar
ghosttie
Posts: 181
Joined: Sat Aug 15, 2009 1:25 am
Location: Atlanta, GA, USA
Contact:

Re: manual validation code for login.

Postby ghosttie » Wed Sep 19, 2018 2:10 am

Can you post the exception?
I have a catapult. Give me all the money or I will fling an enormous rock at your head.

JohnP
Posts: 73
Joined: Mon Sep 28, 2009 8:41 am
Location: Christchurch

Re: manual validation code for login.

Postby JohnP » Wed Sep 19, 2018 5:50 am

Shouldn't the return false only happen if the while loop doesn't find a match? Otherwise it returns false if the first user isn't the right one.

Code: Select all

while iter.next(user) do //write user.lastName; if (user.identification = id or user.email=id)and (user.password=password)then return true; endif; endwhile; return false;

User avatar
BeeJay
Posts: 312
Joined: Tue Jun 30, 2009 2:42 pm
Location: Christchurch, NZ

Re: manual validation code for login.

Postby BeeJay » Wed Sep 19, 2018 8:23 am

You seem to be making the assumption that the following line of code will actually find a shared instance of the UserByID dictionary class:

Code: Select all

userDict:=UserByID.firstInstance();
Simply defining a dictionary doesn't mean any instances of that dictionary will exist. Also, it is very, very unusual to use a shared persistent dictionary instance rather than having a property of that type on another object.

For example, in a simple system you may have a 'Root' singleton which has a Root::allUsersByID reference, of type UserByID dict, inversed to a User::myRoot reference. In this setup, when you create an instance of User and set the User::myRoot reference to your Root singleton instance, it will automatically add that user into the exclusive subObject instance of the UserByID dictionary class that represents the Root::allUsersByID reference. This concept of automatically maintained references is one of the more powerful features of the JADE Object Manager (JOM).

With this setup, after the following line of code executes, the userDict local variable will still be null, as there is no shared instance of the UserByID dictionary class. This will still be the case even if you have created your Root object singleton, several User objects, and set the User::myRoot reference appropriately. There will be an exclusive subObject instance of type UserByID dictionary, but you'll never be able to access that using the following line of code:

Code: Select all

userDict:=UserByID.firstInstance();
In the scenario described above, your code could be rewritten as follows, although it would be more normal to have a 'myRoot' reference to your Root singleton on your application subclass, so you can set this up during application initialise and then simply code app.myRoot when you need to dereference your Root singleton. The following code 'accesses' the exclusive subObject instance of UserByID dict by way of the property on the owning instance of the Root singleton.

Code: Select all

iter := Root.firstInstance.allUsersByID.createIterator(); while iter.next(user) do if (user.identification = id or user.email=id) and (user.password=password) then return true; endif; endwhile; return false;
Cheers,
BeeJay.

allistar
Posts: 156
Joined: Fri Aug 14, 2009 11:02 am
Location: Mount Maunganui, Tauranga

Re: manual validation code for login.

Postby allistar » Wed Sep 19, 2018 5:31 pm

I'm not sure if this is for a real system or not, but storing the password in plain text is very insecure. If this is a demo, play or learning environment then it's not a big deal and you can ignore this advice. :-)

Good security requires that you never store passwords. There are no exceptions to this rule. Instead have use a salt per user (e.g. a very large random string) and hash the password+salt combination using a robust hashing algorithm. If you as a developer have a way of determining what your users' passwords are then the system is insecure.

User avatar
ghosttie
Posts: 181
Joined: Sat Aug 15, 2009 1:25 am
Location: Atlanta, GA, USA
Contact:

Re: manual validation code for login.

Postby ghosttie » Thu Sep 20, 2018 2:36 am

I had to outsource password hashing to a .NET component in order to use the recommended PBKDF2 hash function - is everyone doing something like this or is there a native JADE way of doing it?
I have a catapult. Give me all the money or I will fling an enormous rock at your head.

allistar
Posts: 156
Joined: Fri Aug 14, 2009 11:02 am
Location: Mount Maunganui, Tauranga

Re: manual validation code for login.

Postby allistar » Thu Sep 20, 2018 1:28 pm

A list of PBKDF2 algorithms are:

https://en.wikipedia.org/wiki/List_of_P ... mentations

There is an implementation in openssl which should be usable in Jade in an external function call (I haven't tried this). I would expect that implementing the whole algorithm in Jade would make it far too slow (and would take ages to implement). I tend to favour external function calls than .NET calls.

Given how important this is to securing an application it would be good for this to be a built in Jade method (on String, or Application/Node/Process).

User avatar
BeeJay
Posts: 312
Joined: Tue Jun 30, 2009 2:42 pm
Location: Christchurch, NZ

Re: manual validation code for login.

Postby BeeJay » Thu Sep 20, 2018 3:41 pm

I'm not sure if this is for a real system or not, but storing the password in plain text is very insecure. If this is a demo, play or learning environment then it's not a big deal and you can ignore this advice. :-)
Thanks Allistar. I had intended to mention that passwords should be securely encrypted prior to storing in my response as well, but overlooked mentioning that in my previous response. :(

Cheers,
BeeJay.

Jay
Posts: 25
Joined: Mon Jul 23, 2018 10:15 am

Re: manual validation code for login.

Postby Jay » Thu Sep 20, 2018 4:36 pm

You seem to be making the assumption that the following line of code will actually find a shared instance of the UserByID dictionary class:

Code: Select all

userDict:=UserByID.firstInstance();
Simply defining a dictionary doesn't mean any instances of that dictionary will exist. Also, it is very, very unusual to use a shared persistent dictionary instance rather than having a property of that type on another object.

For example, in a simple system you may have a 'Root' singleton which has a Root::allUsersByID reference, of type UserByID dict, inversed to a User::myRoot reference. In this setup, when you create an instance of User and set the User::myRoot reference to your Root singleton instance, it will automatically add that user into the exclusive subObject instance of the UserByID dictionary class that represents the Root::allUsersByID reference. This concept of automatically maintained references is one of the more powerful features of the JADE Object Manager (JOM).

With this setup, after the following line of code executes, the userDict local variable will still be null, as there is no shared instance of the UserByID dictionary class. This will still be the case even if you have created your Root object singleton, several User objects, and set the User::myRoot reference appropriately. There will be an exclusive subObject instance of type UserByID dictionary, but you'll never be able to access that using the following line of code:

Code: Select all

userDict:=UserByID.firstInstance();
In the scenario described above, your code could be rewritten as follows, although it would be more normal to have a 'myRoot' reference to your Root singleton on your application subclass, so you can set this up during application initialise and then simply code app.myRoot when you need to dereference your Root singleton. The following code 'accesses' the exclusive subObject instance of UserByID dict by way of the property on the owning instance of the Root singleton.

Code: Select all

iter := Root.firstInstance.allUsersByID.createIterator(); while iter.next(user) do if (user.identification = id or user.email=id) and (user.password=password) then return true; endif; endwhile; return false;
Cheers,
BeeJay.

What could the type of "root" be? Maybe the ModelSchema? or Rootschema global?
Thank you. I am a student and beginner learning Jade and have some project going on

allistar
Posts: 156
Joined: Fri Aug 14, 2009 11:02 am
Location: Mount Maunganui, Tauranga

Re: manual validation code for login.

Postby allistar » Thu Sep 20, 2018 9:05 pm

Hi Jay,
Define a class called "Root" in the model schema and hang the rest of the model off that. Imagine if you were to pick up the Root singleton object, every single object in the database should hang from it in some way like a deep tree. Create a single instance of this class in a JadeScript. When the app initialises store a reference to it by finding the firstInstance of that class and set an app property called something like "myRoot".

Having a root singleton is a very common pattern. Complex systems can have many of them.

Regards,
Allistar.


Return to “Tips and Techniques”

Who is online

Users browsing this forum: No registered users and 10 guests

cron