You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
JWT decoding: Buffer should be replaced with a browser-safe base64 decoder that properly handles URL-safe base64 padding.
Login Function:
Credentials are sent both in header and body which is redundant and increases the exposure surface -> Decide for one method depending on what the server requires (I think the body variant)
Username and password are base64 encoded with "window.btoa" which only supports LATIN1/ASCII and could lead to locking users out, if they change their password to containing an UTF8-string like for example the German ä, ö, ü or French é, è, î etc. see subissue [BUG]: Username/Password base64 encoding bug #1915
Description
The AuthService should be reworked as it's very messy and most likely contains not yet found bugs.
user: BehaviorSubject<AuthData | null>
_authUser$: BehaviorSubject<AuthUser | null>
isAuthenticated: boolean
logged: ReplaySubject
userLoggedIn: Subject
JWT decoding: Buffer should be replaced with a browser-safe base64 decoder that properly handles URL-safe base64 padding.
Login Function:
Credentials are sent both in header and body which is redundant and increases the exposure surface -> Decide for one method depending on what the server requires (I think the body variant)
Username and password are base64 encoded with "window.btoa" which only supports LATIN1/ASCII and could lead to locking users out, if they change their password to containing an UTF8-string like for example the German ä, ö, ü or French é, è, î etc. see subissue [BUG]: Username/Password base64 encoding bug #1915