added numbered examples/scenarios/test case
some of this could be considered minimal impact or security anomalies that should be locked down as Security Policy for Crypto-Money Projects.
for instance; (this is all on ubuntu20lts Brave)
TEST 1
https://poc.moralis.io/login
- when I click in the email field , two names show up. so 2 saved passwords.
- I have logged in several times as [email protected] and retype the password but this user password pair never saves.
TEST 2
- SO I just clicked on [email protected] saved name and password appears. (then discovered another glitch)
- then I click on the captcha but the squares reloads as empty- then I click on the captcha but the squares reloads as empty
- then I click on the captcha but the squares reloads as empty
- then I click on the login button which says gotta do kaptcha so
- then I click on the captcha but the squares reloads as empty
cant get out of this cycle.
until I reload the page and Kaptcha works again, except the saved password doesnt work.
- then I click on the captcha but the squares reloads as empty
TEST 3
so I log in as moralis@greatspirit but have to type it manually.
- I just go for LogOut and then on the login screen in the email field is [email protected] but there is no password
TEST 4
The item that prompted this glitch report is;
when I have been logged in as [email protected] for longer than Idle time , the screen does not update as logged out.
so 2 hrs later I click on anything , like Index API , the new page will load, then after it loads and I can see the screen for a moment before a refresh occurs and I am logged out.
* perhaps LOGGED IN TEST is not processing first so allows the next page to be seen.
2 NEW TESTS
I am setting up two tests;
- I created a new instance connected to bsc testnet
- I have it set to show the Delete Button and Dashboard button.
Test 5 - after two hrs past autolog out, I will click on the DashBoard icon to see if it launches me into the dash board logged in. I expect I will get the dash board open
Test 6 - >2hrs click trash can to delete the instance.
I expect to be logged out after the delete instance is executed and then when I log back in , It will not be there.
NEXT Glitch
I do not check this link very often just yet
https://7fs7jcaojzl6.moralis.io:2083/apps/moralisDashboard/logs/info
TEST 7
However, it seems to Never AutoLog Out. for over a week now.
I am pretty sure I have rebooted this laptop several times and not looked at this page. then today I go to check it for login and it is already logged in.
this should auto log out like everything else.
TEST 8
forums.moralis.io also seems to never auto log out.
How an annoying Glitch turned into a Login Security Report
as a security measure, Moralis is inviting WhiteHats and BlackHats to attempt to compromise login at every level and every interface, just because Moralis is the new kid on the block encouraging noob developers to to publish weak code, just cuz they are noobs.
I would like to see implemented a stricter policy and code audit for every log in interface to ensure Behaviour is identical and consistent across all logins and confirmed that back end code confirms Active Login Session is valid before anything else could possibly process.
while Consistent Identical Behaviours was the driving inspiration, it is likely that the potential security issues is actually more of a concern.
MORE TEST CASES on 2nd Laptop;
SO next I look to setup similar testing from the 2nd Ubuntu20LTS Laptop running latetst FIreFox
TEST 9
I load poc.moralis.io/login and cacao@cryptococreators email and password are saved and login works. I updates the server instance. when done I log out.
- Why wont it save in BRave?
TEST 10
same email n password present , I click Login, but forgot to click kaptcha. so Error says gotta do Kaptcha. I click OK
the reKaptcha tries to load but never loads.
it takes way too long so I reload the page.
I clicked on kaptcha square and the circle is still spinning 5 mintues later
I reload the page again
same login credentials waiting.
I click Kaptcha Square and get check mark
I click Login.
- this time it worked.
then I click LogOut and I get login screen again;
I click captcha square
spinning circle for 5 minutes and never stops.
I click login and it says Please complete Kaptcha
Test 10 Results:
several tests confirm that after logout, you can not log back in until a full reload of the poc.moralis.io/login page
EndUser Experience needs;
It is imperative that all login processes are flawless , seamless with no room to be compromised.
hhmmm perhaps on Logout, you can also force a Leave Page or Close Tab to fully clear anything left behind in the browser tab cache or anywhere else.
I will report back with updates on the 2hr time out test on poc.moralis.io to see if I can launch a dashboard or delete a server.
Cacao