How to differ between --> wrong password & wrong email <---?

Ask the community
,
1

I already asked this question myself a lot of times.
When you have your own custom login-page and you want to inform the logging-in users if they are doing something wrong during login-process (for example entering a wrong password or email), how it is possible to differ between this two different wrong entered values?

In both cases you get the following error-message from console-system…


Which tells us, that something has been done wrong during the login-process! OK! But which entry was the wrong one (exactly)?

No matter if …
-it is a wrong entered password…
-it is a wrong entered email…
-or it is even a non-existing Account…

…always you get just an very imprecise error-message as output.

If (there is a possibility how to define it more precise) {let me know}.
else if (there isn’t any possibility) {

setTimeOut(()=>{wix/velo has a new sheduled-task},as soon as possible);

}
else {more of my followers will storm the fortress :stuck_out_tongue_winking_eye:}

Thanks :wink::grin:

BTW: Is there an API-DOC where all the error-Codes can be found?

Sorry for all the detailed investigations :roll_eyes::roll_eyes::roll_eyes:

Edit: And i was happy to see, that there was a more specific error-handler for blocked user :hear_no_evil:


Already a little bit happy about this progress! :beers::beers::beers:

More work can be found here…

2

Does the errorCode change if you enter in a wrong email vs wrong password. I wonder if that is the clue you could use.

If it is the wrong email, that infers that it is non Existent (in the collection) that is being used to test the login. Since there is no real way to test if the email is invalid, without trying to send a physical email to the email address and waiting for a response from the incoming mail server. In fact some email servers (that I’ve configured), I silently drop emails that have invalid incoming addresses. I don’t want hackers, trying to repeatedly send emails and get a response that the email address is invalid, to try and guess valid emails.

3

You can test it by your own here…

https://russian-dima.wixsite.com/login-system/blank-1

You can use the existing —> teacher-account (which is not blocked).

teacher@test.com (pw: 12345) investigate the outputs (console is open)

you can also investigate the output for blocked users: student@test.com (12345)

4

So you mean, there is a reason why there is no existing ERROR-CODE to differ between Email and Password? Damnit! Thats not good.

Ok, i just try to imagine the hackers behaviour (or better said the hacker’s crawler-programm behaviour). Ok, let’s say the CRAWLER would be able to read the e-mail, and also would be able to react to the incomming outputs.

What about something like implemented CAPTCHA-process or something in this direction.

As I always care to say → where a will, there a way ! :stuck_out_tongue_winking_eye:

Ok! But what about an absolutely non-existing user-account? Also the same error-message!

5

What if, you get the error message that the email or password is invalid. Can you take the info from Wixusers, to get the email the user used to try and login. with? Can you use that email to do a query on the Users/Contacts collecton and see if the email exists? I am not uptospeed on how Wix authenticates logins and what it puts into its WixUser object. I don’t know if it tracks the users email in the User object, even if the user is not logged in. I haven’t read through the WixUsers API, or tested it, since I haven’t used it yet. The websites I’ve been working with are public facing and don’t authenticate the user.

6

Hopefully we will get some answers from Wix/Velo-Team. Let’s wait for it…
In the meanwhile i try to find my own way to fame and fortune😅.
Let me know if you are faster in this case.:wink:

BTW: For those who is using my Login-System to do some analysing tests, sorry if sometimes all DATA is gone, or something is not working properly. It is still under developement and changes are done almost every day. You will surely understand this. :sweat_smile:

7

What if you store all of the data when a user signs up in its own “verification” database and then when a user tries to login you can query that database to see if the entry exists. If there is not matching result you can show the text with the correct error?

8

Ok, good checkpoint!!!
This could work.

My aim was not to generate an own (third) databease for members (if you followed all of my posts you probably have seen it already).
But anyway → your suggestion is the key! Well done!

I even do not need a third database.
Now i know what to do and how to solve it.
It will even solve both of my issues.
Thanks for the right idea!

9

The solution was all the time in front of my nose, damn :rofl:!
And also all the needed DATA is already prepared to solve this issue.

Somewhere in my code i already query all contacts → a third database is not neccessary.

10

It’s a dangerous world out there. Why would you want to help a hacker figure out how to work out the login credentials? If a legitimate user is trying to login, then they should have their information saved somewhere (password program or a stick-it note on their screen) and can easily fix the error. A hacker on the other hand shouldn’t be given any assistance.

11

Yes i understood it. So now, knowing the reason for the missing error-messages, it’s ok to dispense with it.
I already stated in an parralel post → i am just forced to use an third DATABASE for my puposes, no matter how hard i try to avoid this. :sweat_smile:

https://www.wix.com/velo/forum/coding-with-velo/how-to-deblock-a-blocked-user

12

@jarod
Just wanted to let you know! → Your idea worked well ! (and you still have my best ANSWER-AWARD → although it was changed, by somebody :wink:)
Now the engine recognizes between wrong password and wrong/not existing emails.

Thanks for your suggestion!

874×739 117 KB

BTW: → a third additional DB was still not neccessary.

13

@russian-dima Awesome! Glad I could help!

14

@jarod You could help! :sunglasses: