I’m having trouble with my Zapier authentication setup. The auth module seems to accept any username and password combination instead of properly validating them.
Here’s my current authentication code:
const axios = require('axios');
const crypto = require('crypto');
const verifyCredentials = (zapier, config) => {
return zapier.request({
url: 'https://myapi.example.com/auth/verify',
method: 'POST',
json: {
'auth_data': {
'client_id': 'XYZ123',
'email': config.authData.email,
'pass': config.authData.pass,
}
},
}).then((result) => {
if (result.status === 401) {
throw new Error('Invalid login details');
}
return result.data;
});
};
module.exports = {
type: 'custom',
fields: [
{key: 'email', label: 'Email Address', required: true, type: 'string'},
{key: 'pass', label: 'Password', required: true, type: 'password'}
],
test: verifyCredentials,
connectionLabel: '{{config.authData.email}}'
};
The problem is that when I try to connect an account in the action setup, it accepts random text for both email and password fields. The validation doesn’t work properly and any input gets approved.
I’ve hit this exact problem before - it’s usually how you’re handling the response. Your code only checks for 401 status, but axios throws errors for most HTTP error codes before your .then() even runs. Your API is probably returning a 200 status with an error message in the response body, so your code thinks it succeeded. Check what your API endpoint actually returns first. Look at result.data for success/error flags instead of just HTTP status. Also add some logging to make sure you’re hitting the right endpoint - sometimes that’s the real issue.
you’re catching the wrong response codes. most APIs don’t throw 401 when auth fails - they return 200 with error data inside. console.log the actual response first to see what your endpoint sends back. you probably need to check result.data.success or a similar field instead of just HTTP status.
Your axios config might be the problem. When you use the json property, axios auto-sets content-type headers, but some APIs want different formatting. Try switching json: to data: and manually set the content-type header. Also, you’re only catching 401 errors, but successful auth attempts that fail validation might return 200 with error details in the body. I had a similar auth module that kept accepting bad credentials because the API returned 200 status with {success: false} in the body. Add a check for whatever response structure your API actually returns when auth fails.