-
Bug
-
Resolution: Done
-
Major
-
None
-
1.0.0
-
None
If you do a login with the correct user/passwd and afterwards issue a wrong login (with wrong user/passwd), you get the 'response' from the first (valid) login, since the Cookie value from the previous response (set-cookie header) is used.
Here is a little test script. You can execute that in the Chrome console against our todoauth app on openshift:
// create a new auth module: var restyAuth = AeroGear.Auth({name: "auty",settings: {agAuth: true,baseURL: "/todo-server/", endpoints : {enroll: "auth/enroll"}}}).modules.auty; // prepare some JSON for the user/password var data = {username: "john", password: "123"}; // do the login, and see a 'JO!!!!!' on the console (-> hopefully) restyAuth.login( JSON.stringify( data ), { contentType: "application/json", dataType: "json", success: function( data ) { console.log("JO!!!!!"); } }) // Ah, we got the success callback! // NOTE the response from the above got a 'Set-Cookie' header // now let' make up some user name ..... : data = {username: "johnnnnyyyyyysdsadsd", password: "johnnnnyyyyyysdsadsd"}; // run the login again, with the WRONG user data restyAuth.login( JSON.stringify( data ), { contentType: "application/json", dataType: "json", success: function( data ) { console.log("JO!!!!!"); } })
The cookie value form the FIRST response is sent to the server when doing the second (invalid) login. There for we see the invocation of the 'success' callback on the second logon as well. Also the received response (on the second login) is the same that we got from the first:
"{"username":"john","roles":["admin"],"logged":"true"}".
Because the Cookie from the initial john/123 login was used...
