Create user password


#1

Imported Google Group message. Original thread at: https://groups.google.com/forum/#!topic/tyk-community-support/bTv8uNvWpwo Import Date: 2016-01-19 21:24:09 +0000.
Sender:Ian Harris.
Date:Thursday, 17 September 2015 09:32:42 UTC+1.

Hi,

When I create a user using the advanced management API do I need to hash the password before adding it to the user object I’m submitting? And if so what hash should be applied.

I’ve added a user this way and I am trying to log into the portal but it’s failing. Also when I list all users using the advanced management api the password in the returned field is plaintext not hashed.

Thanks,
Ian.


#2

Imported Google Group message.
Sender:Martin Buhr.
Date:Thursday, 17 September 2015 09:38:33 UTC+1.

Hi Ian,

You shouldn’t have to (it should hash if it’s a new user by default - but we may have a bug here).

What we do in our automation tasks with tyk Cloud+ the advanced API is to create the user object with a random string as password and then use the reset password endpoint to secure the user right after it’s been created (/api/users/{uid}/actions/reset), docs are on this page.

Cheers,
Martin

  • show quoted text -

#3

Imported Google Group message.
Sender:Ian Harris.
Date:Thursday, 17 September 2015 09:54:26 UTC+1.

Hi Martin,

Thanks for the quick reply.

The reset worked. When I do a get on users I now see a hashed version of the password.

I still can’t log in with my password on the dashboard but perhaps that’s something I haven’t hooked up correctly yet. Should it be sufficient to create an organisation and add a user to that organisation (both done with the advanced management api) to be able to log into the dashboard.

I’m using the docker images for tyk and have the mongo, redis, gateway, dashboard and nginx images running.

Thanks,
Ian.

  • show quoted text -

#4

Imported Google Group message.
Sender:Martin Buhr.
Date:Thursday, 17 September 2015 10:25:44 UTC+1.

Hi Ian,

Good to hear :slight_smile:

Regarding login, first thing to check is when you pull the user info - is the user marked as active (active: true)?

The other thing is that when using the users API (accessed via a dashboard users API Key), all operations are limited to the organisation of the originating user. This ensures that there is no leakage when dashboard users automate tasks within their org.

This is why creating an Org is done with a special admin API (special privileges, can’t be accessed by dashboard users). In order to automate user creation there’s also an admin API for Users (to add users). This isn’t particularly well documented. But we use it in the quickstart to generate the test user:

POST http://:3000$LOCALIP/admin/users

HEADERS
“admin-auth: 12345”
“Content-Type:application/json”

BODY
{
“first_name”: “John”,
“last_name”: “Smith”,
“email_address”: “’$RANDOM…@test.com”,
“active”: true,
“org_id”: “’$ORGID’”
}

The admin API for users allows for the assignment of an Org ID to any org, notice there’s no password, so you would now need to get that user using a valid org-based API key and then set their password (take a look at how the quickstart doe it: https://gist.github.com/lonelycode/4f645c4733faaa74d8fd#file-tyk_quickstart-sh-L59) - we are looking to expand this Api to make it more friendly for admins.

Of course if you are not creating new orgs, then using the regular API with an initial dashboard user should work just fine, so long as they are marked as active.

Mind sharing your user listing output so we can diagnose?

Cheers,
Martin


#5

Imported Google Group message.
Sender:Ian Harris.
Date:Thursday, 17 September 2015 10:45:34 UTC+1.

Hi Martin,

I was using the admin API to create the users. The order it was done in was create org (/admin/organisations/), create super user and then create user (both /admin/users/) and then reset password using /api/users/user_id/actions/reset. I’m now trying to log into the created org’s dashboard using the org user account.

Yeah that’s no problem - this is only a test system. Here’s the list of users:

{
“users”:[{
“api_model”:{

    },  
    "first_name":"Super",
    "last_name":"User",
    "email_address":"[email protected]",
    "password":"",
    "org_id":"",
    "active":true,
    "id":"55fa717328d54ac9e78af8b6",
    "access_key":"8b3a5b33dca140744324edc14d10abce"
},  
{   
    "api_model":{

    },  
    "first_name":"Org",
    "last_name":"User",
    "email_address":"[email protected]",
    "password":"$2a$10$6zP1jVKYJjfPIeJFq45X2udbiZPvPIWVXUJTC7YxmYMLLC1Oz7zK6",
    "org_id":"55f98e387cd3590001000001",
    "active":true,
    "id":"55fa73ef28d54ac9e78af8b7",
    "access_key":"0ac82cdbb7aa40c96f893ea27e917c5d"
}], 
"pages":0

}

and the org is:

{
“organisations”:[{
“id”:“55f98e387cd3590001000001”,
“owner_name”:“test-org”,
“owner_slug”:“test-slug”,
“cname_enabled”:false,
“cname”:"",
“apis”:[],
“developer_quota”:1000,
“developer_count”:0,
“event_options”:{

    },  
    "hybrid_enabled":false
}], 
"pages":0

}

Thanks,
Ian.

On Thursday, September 17, 2015 at 9:32:42 AM UTC+1, Ian Harris wrote:

  • show quoted text -

#6

Imported Google Group message.
Sender:Martin Buhr.
Date:Thursday, 17 September 2015 11:40:39 UTC+1.

Hi Ian,

I installed our quick start just to make sure I wasn’t going mad, I’ve documented the whole flow below - this is confirmed to work (you might want to destroy your mongoDB and recreate though), this in quite long, but here goes:

  1. Create the org:

POST /admin/organisations/ HTTP/1.1
Host: 192.168.99.100:3000
admin-auth: 12345
Content-Type: application/json
Cache-Control: no-cache

{ “owner_name”:“test-org”, “owner_slug”:“test-slug”, “cname_enabled”:false }

{
“Status”: “OK”,
“Message”: “Org created”,
“Meta”: “55fa95889395390001000001”
}

  1. Create the Super user:

POST /admin/users/ HTTP/1.1
Host: 192.168.99.100:3000
admin-auth: 12345
Content-Type: application/json
Cache-Control: no-cache

{ “first_name”:“Super”, “last_name”:“User”, “email_address”:"[email protected]", “password”:"", “org_id”:"", “active”:true }

{
“Status”: “OK”,
“Message”: “16c92076bd784da073ccb586d169c5fc”,
“Meta”: “”
}

  1. Create the Org user and attach to Org ID:

POST /admin/users/ HTTP/1.1
Host: 192.168.99.100:3000
admin-auth: 12345
Content-Type: application/json
Cache-Control: no-cache

{ “first_name”:“Regular”, “last_name”:“User”, “email_address”:"[email protected]", “password”:“empty”, “org_id”:“55fa95889395390001000001”, “active”:true }

{
“Status”: “OK”,
“Message”: “907ca683c0314bca6d995a64bb406358”,
“Meta”: “”
}

  1. List the users so far (SU Token):

GET /api/users/ HTTP/1.1
Host: 192.168.99.100:3000
Authorization: 16c92076bd784da073ccb586d169c5fc
Content-Type: application/json
Cache-Control: no-cache

{
“users”: [
{
“api_model”: {},
“first_name”: “Super”,
“last_name”: “User”,
“email_address”: "[email protected]",
“password”: “”,
“org_id”: “”,
“active”: true,

        "id": "55fa95acc47445dc8a42fce7",
        "access_key": "16c92076bd784da073ccb586d169c5fc"
    },
    {
        "api_model": {},
        "first_name": "Regular",
        "last_name": "User",
        "email_address": "[email protected]",
        "password": "empty",
        "org_id": "55fa95889395390001000001",
        "active": true,
        "id": "55fa9605c47445dc8a42fce8",
        "access_key": "907ca683c0314bca6d995a64bb406358"
    }
],
"pages": 0

}

  1. Reset the users password (we need their user ID for that), either with the SU’s access key, or the user we just created:

POST /api/users/55fa9605c47445dc8a42fce8/actions/reset HTTP/1.1
Host: 192.168.99.100:3000
Authorization: 16c92076bd784da073ccb586d169c5fc
Content-Type: application/json
Cache-Control: no-cache

{“new_password”:“test123”}

{
“Status”: “OK”,
“Message”: “User password updated”,
“Meta”: “”
}

Then log in at http://tyk.docker:3000/

Login should work (u:[email protected] p:test123).

I’m not sure what is happening on your instance, but the above flow was replicated twice - suggest using a clean setup (remove your containers and load them again).

Let me know how you get on.

Cheers,
Martin


#7

Imported Google Group message.
Sender:Ian Harris.
Date:Thursday, 17 September 2015 12:06:39 UTC+1.

Hi Martin,

Ok not sure what I did the first time but that time it worked perfect. I can login now.

Thanks for all your help,
Ian.

On Thursday, September 17, 2015 at 9:32:42 AM UTC+1, Ian Harris wrote:

  • show quoted text -