SECURITY RISK -- Incorrect security identity used in query when multiple identities are set

Wappler Version : 3.9.1
Operating System : mac
Server Model: node
Database Type: maria
Hosting Type: node

Expected behavior

When using a query, the proper security identity should be used.

Actual behavior

The last identity set in Globals is used in the query

How to reproduce

The database users table:

Screen Shot 2021-03-20 at 9.26.28 AM720×458 17.2 KB

The security providers:

Screen Shot 2021-03-20 at 9.27.51 AM1728×1292 253 KB

Screen Shot 2021-03-20 at 9.27.43 AM1622×1148 122 KB

The Global steps:

Screen Shot 2021-03-20 at 9.28.39 AM1746×944 113 KB

Screen Shot 2021-03-20 at 9.28.33 AM1774×940 111 KB

The query:

Screen Shot 2021-03-20 at 9.29.56 AM1602×1066 64 KB

The login:

Screen Shot 2021-03-20 at 9.33.03 AM902×988 50.4 KB

Screen Shot 2021-03-20 at 9.32.58 AM978×1112 51.4 KB

<!doctype html>
<html>

<head>
    <meta name="ac:route" content="/security_test">
    <base href="/">
    <script src="dmxAppConnect/dmxAppConnect.js"></script>
    <meta charset="UTF-8">
    <title>Untitled Document</title>
    <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script>
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous" />
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <link rel="stylesheet" href="bootstrap/5/css/bootstrap.min.css" />
</head>

<body is="dmx-app" id="security_test">
    <dmx-serverconnect id="sc_get_user" url="api/get_user"></dmx-serverconnect>
    <dmx-serverconnect id="sc_login" url="api/login" noload></dmx-serverconnect>
    <dmx-serverconnect id="sc_logout" url="api/logout" noload></dmx-serverconnect>
    <h1>Security Test</h1>
    <button id="btn1" class="btn" dmx-on:click="sc_login.load()">Login</button>
    <button id="btn2" class="btn" dmx-on:click="sc_logout.load()">Logout</button>
    <script src="bootstrap/5/js/bootstrap.bundle.min.js"></script>
</body>

</html>

Run the content page in the browser.

Click the Login button.

Refresh the page.

The user retrieved will be:

Screen Shot 2021-03-20 at 9.34.46 AM788×188 13.6 KB

See that the user is last name ‘ABCLast’, which matches the alternate_identity ‘abc’, however the query is using identity, not the alternate.

THIS IS THE ISSUE – The query is using the ‘alternative_identity’, even though it is set to {{identity}}.

If you switch the order of the identity actions in globals and refresh the page, the user will change to:

Screen Shot 2021-03-20 at 9.36.45 AM804×175 13.2 KB

‘UserLast’, matches the identity ‘user’

I see two login actions at the login stage, could that be the issue? Why would you do that?

The logins are for different security providers that authenticate different things.

I am not completely sure i understand your idea here.
Why do you have two login steps in the same server action? I don’t really get the logic of what i see on your screenshots.

The bug report template asks for how to replicate the bug being reported… that’s what I’ve attempted to do.

I’m not looking to get into a conversation about why I’m doing this because an alternate solution does not deal with the bug.

Wappler allows for multiple security providers, and allows for them to be used simultaneously, so it is a bug, that the identities are getting crossed.

And I would argue, a very significant bug.

Ken all I am asking is what are you trying to achieve exactly? Probably you are just not doing it correctly.

Thank you, I always appreciate your desire to help Teodor…I’m all set as I have worked around the bug.

Whether you guys deem this a bug and fix it, is up to you.

Can you not do this through a single login with two separate permissions assigned to the user?

Thanks for the offer to help Brian…I’m all set as I have worked around the bug.

The global identity variable holds the last used identity, so it depends which security provider was last as it overwrites the variable of the previous one.

To make sure to have the correct identity you should use the identify action to get the identity from a security provider.

Got it.

Then I’d suggest that the global version of identify be a fixed action (no security provider choice) along with your description, rather than the current functionality that allows to add multiple identify actions each with their own security provider.