Login not using the username provided by the POST request

[wolfsblu]

Hello! I'm having some strange issue when trying to call the login endpoint via POST with a JSON body. To be precise, when I make this call via curl or similar:

POST http://example.com/auth/login HTTP/1.1
Content-Type: application/json
{
    "username": "test",
    "password": "test"
}

I get the following response:

401 Unauthorized 
{
  "field-error": [
    "username",
    "no matching login"
  ],
  "error": "There was an error logging in"
}

And a look at the rails output reveals these SQL queries:

Started POST "/auth/login" for example.com at 2023-01-22 17:04:06 +0100
Processing by RodauthApp#call as HTML
  Parameters: {"username"=>"test", "password"=>"[FILTERED]"}
  Sequel (0.4ms)  SELECT version()
  ↳ app/misc/rodauth_app.rb:15:in `block (2 levels) in <class:RodauthApp>'
  Sequel (0.3ms)  SELECT version()
  ↳ app/misc/rodauth_app.rb:15:in `block (2 levels) in <class:RodauthApp>'
  Sequel (0.8ms)  SELECT * FROM `auth_users` WHERE ((`name` = '') AND (`status` IN (1, 2))) LIMIT 1
  ↳ app/misc/rodauth_app.rb:15:in `block (2 levels) in <class:RodauthApp>'
Completed 401 Unauthorized in 107ms (ActiveRecord: 3.7ms | Allocations: 13464)

Especially this line is interesting:

Sequel (0.8ms)  SELECT * FROM `auth_users` WHERE ((`name` = '') AND (`status` IN (1, 2))) LIMIT 1

It seems the credentials passed to the controller are not handed to rodauth somehow. I'm not sure whether I misconfigured my app or if there is some other issue at play here, but my configuration looks as follows:

class RodauthMain < Rodauth::Rails::Auth
  configure do
    enable :create_account, :verify_account, :verify_account_grace_period,
      :login, :logout, :remember, :json,
      :reset_password, :change_password, :change_password_notify,
      :change_login, :verify_login_change, :close_account

    accounts_table :auth_users 
    rails_account_model { Auth::User }

    login_column :name
    login_uses_email? false
    login_param :username

    email_to do 
      account[:email]
    end
  end
end

And my user model is also straight forward:

class Auth::User < ApplicationRecord
    include Rodauth::Rails.model
    enum :status, unverified: 1, verified: 2, closed: 3
end

Does anyone have an idea what could be wrong here? I'm using Ruby 3.2.0, rodauth 2.26.1 and rodauth-rails 1.7.0

[janko]

I believe the issue might be in login_param being passed a symbol, where it probably needs to be a string. Roda uses Rack's default params, which don't provide indifferent access that Active Support does, so params need to be access via string keys. Could you try whether it works with login_param "username"?

[wolfsblu]

My bad, I tried it now with the correct parameter names, but in the end I get the same result:

curl -X POST http://127.0.0.1:3001/auth/login \
> -H 'Content-Type: application/json' \
> -d '{"login": "user", "password": "secret"}'

And got this response

{"field-error":["login","no matching login"],"error":"There was an error logging in"}

With this log output

Started POST "/auth/login" for 127.0.0.1 at 2023-01-28 09:44:15 +0100
Processing by RodauthApp#call as */*
  Parameters: {"login"=>"user", "password"=>"[FILTERED]"}
  Sequel (0.3ms)  SELECT * FROM `accounts` WHERE ((`email` = '') AND (`status` IN (1, 2))) LIMIT 1
  ↳ app/misc/rodauth_app.rb:12:in `block (2 levels) in <class:RodauthApp>'
Completed 401 Unauthorized in 40ms (ActiveRecord: 0.3ms | Allocations: 3338)

[janko]

Thanks, I was able to reproduce the issue. It seems like the problem is in Falcon; the request parameters get parsed by Rails, but not by Roda, they end up being blank (both login & password are missing). My suspicion is that something is not rewinding env["rack.input"], aka request body. When I switch to Puma, everything works.

I will try to come up with a minimal example that reproduces the bug, and open an issue in the Falcon repository.

[wolfsblu]

That's a relief, I thought I'm missing something obvious. Thank you very much for looking into it!

[janko]

I pushed a fix to the main branch, which should make rodauth-rails compatible with Falcon 🙂

[wolfsblu]

Wow, that was really fast, thanks again!