Have started working on a new project where I don’t require the logged-in user’s ID to be returned from server connect.
The UI for Security Login does not have a Output checkbox as other server action steps do.
But on opening the file in editor, it shows that the Output key is set to true.
I tried setting it to false but saving the action from UI turns it to true again. Having it in the UI would be great.
After making the change, save the file and refresh the UI
This I have done. But when I save the server action later, it turns back to true.
It remains false until I save from UI the next time.
I don’t really understand what the issue with this is?
What’s the problem with the default settings of the login steps, which require you to open and edit the code?
This.
I think I did not test it well last time. The value for Output does not change automatically to true when saving the server action.
So it works by editing the file for now… but having a checkbox in the UI would be convenient.
Still not clear to me how is that a problem - why do you need this option turned off?
There is no such option here. I am asking for one.
Yes I already understand that, the question is why (in what cases) would you ever this set to false?
This is why.
Its might be a rare use case, but I do have it.
And since there is already a option in the json, it doesn’t hurt to show it in the UI… so created the feature request.
Just a question @sid, you don’t want to return the logged-in User’s ID to the page right? Does it return the logged-in user’s ID to the page after a successful login? I was not able to check out this on a test page yet. Just curious.
My understanding is that the ID is only returned server-side, unless I am mistaken. If it is returned back to the page then it may be a security concern and may be the reason why you don’t want an output returned.
But if it is only in the server-side then you don’t have to worry about it.
Hi @zitroware, in my brief testing of this… I found that by default, it always returns the logged in user’s ID in response as “identity”.
I also noticed that if I put in a browser.goto in success event of the server connect, the response does not get loaded in the Chrome’s inspector network tab.
The user’s ID is restricted to server side only if I manually edit the server action, set output = false and save the file.
I see, you are correct. I tried on my login page and removed the onsuccess redirection. It returned the user ID.
This would be a security concern in my opinion if you have page queries that uses the user ID and that the “curious” user is able to look into your SQL queries. Generally, you don’t need to get the user ID and use it in the front-end for the user details. If you need user validations, it can be done server-side.
That is correct and the very reason why I have put in the request for the Output checkbox be shown in the UI.
Although from my experience so far, generally, less sensitive applications don’t really care about this ID. And most projects/apps I’ve seen here on Wappler just rely on security restrict options of Wappler and not really worry about the potential ID misuse.
