Can beforeLogin handler be used to discriminate between valid Users

Kelly_Oglesby · March 9, 2022, 11:05pm

I use one application id and database for two different mobile apps, App #1 and App #2. Originally, the customer who uses the app didn’t care about App #1 being tied to a user login, but app #2 uses a phone number as the identity and is secure. Now, the user has changed their mind, and they want to protect App #1 with a forced user login. The problem is that all of the users are considered valid for app #1, but only a few users should be able to access app #2. I see there is no way to pass extra information in the Backendless.UserService.login() call. I could easily check for valid users for app #2 on the server, but there is no way to tell which app they are trying to log into.

Complicating this is that some data from App #1 is used in App #2, so it would be hard to separate them into different app ids.

Any recommendations or ideas?

Thank you

Andriy_Konoz · March 10, 2022, 8:36am

Hi @Kelly_Oglesby ,

As I understood you need to specify some marker during login which will bind user to one or another app.
If I am correct than it will be better to create your custom login endpoint using custom service. In it you will be able to make all required checks before actual user login.

If to talk about beforeLogin handler. There is no way in which you will be able to pass any additional information about login attempt so it can be problematic to reach your goal using this approach.

Regards, Andriy

Kelly_Oglesby · March 10, 2022, 6:11pm

OK. One more question, please. Is the req object passed to the beforeLogin handler read-only? I would simply test this myself, but the authentication part of my apps is in production, so it would be difficult to test without disrupting users.

What I’m thinking is that I could pass a JSON object as the username when logging in. It would contain the username the user supplied and the extra info I need to determine if the user is allowed to use the requested app. If I can write to the req object, I would just set the correct username back in the “login” member of the req object before returning. For example:

Backendless.ServerCode.User.beforeLogin(async function(req) {
    let login = JSON.parse(req.login)
    let valid = doMyAuthentication(login)

    if (!valid) {
        throw new BackendlessServerException(
            new BackendlessExceptionMessage(9999, "Not authorized"))
    }
    else {
        req.login = login.username
    }
});

Thank you, Andriy!

Andriy_Konoz · March 11, 2022, 7:28am

Hi @Kelly_Oglesby ,

Unfortunately you can’t modify login or password values from event handler.

Regards, Andriy