Forum | Appery.io

I followed the tutorial on how to "login", "create user registration", and "change password using secret code". All screens work perfectly as per the tutorial, however, I CAN register with different usernames AND the same email address for both, which should NOT be allowed. You can see the security issue with that scenario. So, how do I make sure that the app checks the username AND the email address against the database to make sure there are no duplicated. The following code is right from the tutorial, and it does NOT execute the registerService if a username already exists. I also want to make sure the service DOES NOT execute when the same email is used by a different user. I'm sure it's only a few lines of code, but I'm not sure where to add them within the code below. Also, the following code is executed when btnRegister is clicked. I've provided an image of the Register screen as well:

if ($.trim(Appery("usernameInput").val()) !== "")
{
if (Appery("passwordInput").val() == Appery("confirmPasswordInput").val())
{
if ($.trim(Appery("emailInput").val()) !== "")
{
if (!document.getElementsByName("emailInput")[0].checkValidity || document.getElementsByName("emailInput")[0].checkValidity())
{
registerService.execute({});
}
else
{
alert("Please enter a valid email address.");
}
}
else
{
alert("Please enter your email address.");
}
}
else
{
alert("Passwords don't match.");
}
}
else
{
alert("Please enter your username.");
}

Hello!

You need to check is there similar email address in Users collection. So you need to do a request as described here http://devcenter.appery.io/documentat... with email parameter. Depending on result allow or decline registration. Another way is to set that username has to be specific email address.

Hi Maryna, thank you for responding. I decided to try your second suggestion - to set the username to be an email address when registering. My registration screen works but when I try to recover my password, JS says "User not found" and yet the user is in the Users database. I've attached images. The only issue that I can see here may be with the "sendEmail" server script. It is invoked when I click the "Get Recovery Code" button on the Password Help screen in my app. Here's a portion of the code that looks for the username/email in the Users db.

...
try {
// Get the user with a given username from the database
var XHRResponse = XHR.send("GET", "https://api.appery.io/rest/1/db/users/", {
"headers": {
"X-Appery-Database-Id": dbId,
"X-Appery-Master-Key": masterKey
},
"parameters": {
"where": '{"username": {"$regex": "^' + encodeURIComponent(username) + '$", "$options":"i"}}'
}
});
...

I bet the line starting with "where": is looking for only uppercase and lower case letters but not special characters as you would have in an email address - for example "@". Do you think this is where the issue exists?
Can you help me fix these lines of code so that the script finds the email address/username in the Users db?

Thanks so much!
Artur

Hello,

Please use following code for "where" clause instead of yours:

pre

"where": '{"username": {"$regex": "^' + username + '$", "$options":"i"}}'

/pre

Regards.

Yurii, thank you for your help. This worked perfectly! I appreciate how responsive the team at Appery.io is.

-Artur

I have a question about option #1 - doing a user query. What I don't understand is how to query the database when one does not yet have the sessionToken. That is provided with successful login, but in the case of testing BEFORE the login (ie don't allow that user id and password if a duplicate email exists), i don't see how to get it. Can you elaborate, thanks!

Hi Ed,

For this case you can use master key.

Best way to use "server code" for this goal cause of security sensitive of master key.

See details about how to work with server code:
Tutorial: http://devcenter.appery.io/tutorials/...
full doc: http://devcenter.appery.io/documentat...

Regards.

I'm sorry to interrupt you, but I have the same issue.

In my case, I’d like to follow the above Maryna’s advice and check if there is the same email address in User collection or not.

I read the following documentation

http://devcenter.appery.io/documentat...,

but still don’t understand the way to achieve the goal.

Do I use GET Method (not POST Method) to check the existing email address even if user registration?

Thank you.

Hi Makoto -

Could you please explain with more details what exactly is not working?

If you're making a query to a database you will need to use method GET as shown in our documentation.

Hi Illya,

thank you for your quick reply.

As R2R did, I also created a register page with four input components, “username”, “password”, “confirm password”, and “email”.

Accordingly, I created a database and the collection has some fields. The three of them are “username”, “password”, and “email”.

When I’m going to register with an existing username in the database, the request is refused and the service returns message like "User ‘abcd’ already exists in database.". And I can’t create a user account. This is desirable outcome.

But, when I’m going to register with an existing email in the database, the request is accepted and I can sign up a new user. This is not desirable outcome.

So, I’d like to add the similar (if-else) behavior in the case of registering with an existing email.

I think I should use POST Method to sign up (create) a new user, but I don’t know where to begin.