Anomalies to Login Logout moralis.io urls UI Testing

added numbered examples/scenarios/test case

some of this could be considered minimal impact or security anomalies that should be locked down as Security Policy for Crypto-Money Projects.

for instance; (this is all on ubuntu20lts Brave)
TEST 1
https://poc.moralis.io/login
- when I click in the email field , two names show up. so 2 saved passwords.
- I have logged in several times as [email protected] and retype the password but this user password pair never saves.

TEST 2

  • SO I just clicked on [email protected] saved name and password appears. (then discovered another glitch)
    - then I click on the captcha but the squares reloads as empty
    • then I click on the captcha but the squares reloads as empty
    • then I click on the captcha but the squares reloads as empty
  • then I click on the login button which says gotta do kaptcha so
    • then I click on the captcha but the squares reloads as empty
      cant get out of this cycle.
      until I reload the page and Kaptcha works again, except the saved password doesnt work.

TEST 3
so I log in as [email protected] but have to type it manually.
- I just go for LogOut and then on the login screen in the email field is [email protected] but there is no password

TEST 4
The item that prompted this glitch report is;
when I have been logged in as [email protected] for longer than Idle time , the screen does not update as logged out.
so 2 hrs later I click on anything , like Index API , the new page will load, then after it loads and I can see the screen for a moment before a refresh occurs and I am logged out.
* perhaps LOGGED IN TEST is not processing first so allows the next page to be seen.

2 NEW TESTS
I am setting up two tests;
- I created a new instance connected to bsc testnet
- I have it set to show the Delete Button and Dashboard button.
Test 5 - after two hrs past autolog out, I will click on the DashBoard icon to see if it launches me into the dash board logged in. I expect I will get the dash board open
Test 6 - >2hrs click trash can to delete the instance.
I expect to be logged out after the delete instance is executed and then when I log back in , It will not be there.

NEXT Glitch
I do not check this link very often just yet
https://7fs7jcaojzl6.moralis.io:2083/apps/moralisDashboard/logs/info

TEST 7
However, it seems to Never AutoLog Out. for over a week now.
I am pretty sure I have rebooted this laptop several times and not looked at this page. then today I go to check it for login and it is already logged in.

this should auto log out like everything else.

TEST 8
forums.moralis.io also seems to never auto log out.

How an annoying Glitch turned into a Login Security Report

as a security measure, Moralis is inviting WhiteHats and BlackHats to attempt to compromise login at every level and every interface, just because Moralis is the new kid on the block encouraging noob developers to to publish weak code, just cuz they are noobs.

I would like to see implemented a stricter policy and code audit for every log in interface to ensure Behaviour is identical and consistent across all logins and confirmed that back end code confirms Active Login Session is valid before anything else could possibly process.

while Consistent Identical Behaviours was the driving inspiration, it is likely that the potential security issues is actually more of a concern.

MORE TEST CASES on 2nd Laptop;
SO next I look to setup similar testing from the 2nd Ubuntu20LTS Laptop running latetst FIreFox

TEST 9
I load poc.moralis.io/login and [email protected] email and password are saved and login works. I updates the server instance. when done I log out.

  • Why wont it save in BRave?

TEST 10
same email n password present , I click Login, but forgot to click kaptcha. so Error says gotta do Kaptcha. I click OK
the reKaptcha tries to load but never loads.
it takes way too long so I reload the page.
I clicked on kaptcha square and the circle is still spinning 5 mintues later

I reload the page again
same login credentials waiting.
I click Kaptcha Square and get check mark
I click Login.

  • this time it worked.

then I click LogOut and I get login screen again;
I click captcha square
spinning circle for 5 minutes and never stops.
I click login and it says Please complete Kaptcha

Test 10 Results:
several tests confirm that after logout, you can not log back in until a full reload of the poc.moralis.io/login page

EndUser Experience needs;
It is imperative that all login processes are flawless , seamless with no room to be compromised.

hhmmm perhaps on Logout, you can also force a Leave Page or Close Tab to fully clear anything left behind in the browser tab cache or anywhere else.

I will report back with updates on the 2hr time out test on poc.moralis.io to see if I can launch a dashboard or delete a server.

Cacao

SO long testing update now in process.

best to be sure @ivan @filip and who else you want on this?

TEST 11
from the UBubtu20lts FireFox user login of [email protected] to poc.moralis.io that sat for 2hrs,
I returned to that tab and clicked on the Red Garbage Can
which presented me this unfortunate message

SO I clicked on the Delete button and the action was sent and then after waiting the tab refreshes to login screen.

on the plus side, I log back in and the server instance is still there.

I leave that screen open on Plugins to test tomorrow.
TEST 12
so from the other Ubuntu20LTS Brave only logged in as [email protected]
I close the other tab with Server DASHBOARD Open.
Then, from poc.moralis.io I can see Server named ‘logged out delete test’ expanding showing buttons for Dashboard etc…
poc.moralis. session timed out 2 hrs ago

  • I click on DashboardButton
    - result, a new tab opens with dashboard logged in.
    that should not be possible.

TEST 13
I find the log out button under 3 dots at bottom left and click it.
- log out works
I go back to 2hr old poc.moralis.io and click on DASHBOARD again and a new tab opens. then I log it out
- repeat 20 times in a row.

TEST 14
I go back to poc.moralis.io and click on Create a new App.
I fill in the info and select Add Instance.
the color changes slightly when I move the mouse over the button
however, nothing seems to happen when I click on it.

So I scroll up to click Close and that window closes but the underlieing page has still not refreshed or logged me out.

TEST 15
before testing delete can, I try click the 3 dots beside ‘RaribleClone testnet’ and then the tab refreshes and logs me out.

TEST 16 post poned
but what I really need to test is, does View Details still display after Session Time Out.
got to wait another hr or so.

its all in the details :wink:

Cacao

TEST 17
Starting from poc.moralis.io/servers home screen that sat for 2hrs past session time out.

  • Click Create New App buttong and I get
    this visual from ubuntu20lts BRave

  • I can give it a name and set the other drop downs
  • click add server doesnt seem to do anything.
  • I click on close popup and then there is refresh and returns with login screen

There seems to be a lot to see after session time out. more than my inner net security admin is comfortable with.

Bro I’m sorry it’s too long text you write
If you can summarize issue in a few sentences like everyone else I can check :pray::pray:

I can’t read a whole bible long text to understand question :sob::heart:

sorry, its step by step login log out glitches so you can repeat steps to see whats up with session id status.

its not code im working with , its the code on your back end.

I am sure ALL your users are to encounter this and maybe dismiss it. but it is ultimately a frustration to your users at times of their login and session time out.

1 Like

TEST 18
user interface report you can replicate

After session time out from poc.moralis.io
I can still click on Details and Display the MasterKey
Dashboard Password and CLI API Key & Secret

I can also see Email Config and EVM Config
which remains until I click CLOSE
then screen refresh and forwards to moralis login screen.

I will be sure to delete the server tomorrow so the publically displayed in pic credentials will be fully wiped

2 Likes

So basically is an issue on the moralis dashboard right?

I mean, after the session time ended by inactivity, you must relog again, that works good. But what you have found is that if you keep the server details window open, you can move into all its options even if the session should end. So when you click the ‘close’ button of that windows, it will trigger the logout and show you the login page again right??

Carlos Z

a few items to clear up;

1 - I noticed login anomalies at Every Moralis.io developers login
2 - I will number the examples in UI Test Review from the start of topic
3 -

very close, this is more accurate;
what I have found is that after login, you see the main screen.
then do nothing for 2hrs and it is still all there.
Then I can click on DETAILS button which opens popup and all Details are presented and you can move into all its options even though Session has Actually Expired. and see all the secret pass codes

4- these comments are really for TEST 18 above

TEST 19

  • another test, after login, do nothing for 2hrs
    Click Avatar Icon and then click Change Password , the Change Password Dialog comes up and allows me to enter new password and click the submit button. but that could have really screwed the account if it worked so I did not do it. Instead click close and then it auto refresh back to login screen

the first message is now broken up into 10 Test Scenarios implemented and reported.

what will likely make me MOST Happy as Hyper Secure Admin would be that once a session expires, what ever code is in the Browser JS is setup to accept Notification that the tabs Session ID Expired on back end and force flush all the related browser buffer, cache, temp files of everything realted to that page and then force kill the tab or force push URI to a page that says sorry your session id expired so for tight security the browser data was also flushed.

hey @Capplequoppe is UI session management hardening one of your gifts :thinking:

TEST 20 - unplanned.

I shutdown this Ubuntu20LTS FireFox before going out for the day.
7pm EST I turn it back on.
9PM I launch FIreFOx
and it says check out this cool looking firefox upgrade.
11pm I click this forum.moralis.io tab from yesteday
- the Page Loads, fully logged in to forum.moralis.io

  • there seems to be NO Session Status test at all for forum.moralis.io with same behavior on 2 laptops with different browser.

what should happen is - what ever it takes to force log out and prevent browser or any other means from Keep Session Alive.

now I remember when I was sysadmin login testing across all server types and all the CMSes installed by cowboy webdevelopers , oh the 90s 8^)

I am so pleased to only be able to submit UI Test Report and leave the glitch resolution to Moralis Team :thinking: :upside_down_face:

1 Like

Thank you @Cacao for reporting :pray:! We will address these in a coming patch.

2 Likes