Skip to content

Commit

Permalink
#10 Password Hashes and API Tokens Returned in Response
Browse files Browse the repository at this point in the history
Summary:
  - Removed fields with sensitive data from users information.

Test Plan:
Scenario.
  1. Login YW.
  2. Open the browser developers panel; tab 'Network'; type of packets 'XHR'; (captions are from Chrome, could differ for other browsers);
  3. In YW: go to 'Profile' (from the dropdown list under the user icon in right upper corner); open tab 'Users';
  4. In developers panel: Find a request ''users", select the "Preview" mode in right panel of the developers panel; check that each user's description (data) doesn't have fields 'passwordHash' and 'apiToken' (see the picture).

{F14340}

Reviewers: daniel

Reviewed By: daniel

Subscribers: jenkins-bot, yugaware, wesley

Differential Revision: https://phabricator.dev.yugabyte.com/D9785
  • Loading branch information
SergeyPotachev committed Oct 29, 2020
1 parent c1462a1 commit ce47c60
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 12 deletions.
5 changes: 2 additions & 3 deletions managed/src/main/java/com/yugabyte/yw/models/Users.java
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,6 @@
import javax.persistence.Entity;
import javax.persistence.Enumerated;
import javax.persistence.EnumType;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;

import org.joda.time.DateTime;
Expand All @@ -26,7 +24,6 @@
import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.google.common.base.Joiner;

import play.data.validation.Constraints;
import play.libs.Json;
Expand Down Expand Up @@ -91,6 +88,7 @@ public String getEmail() {
return this.email;
}

@JsonIgnore
@Column(length = 256, nullable = false)
public String passwordHash;

Expand All @@ -107,6 +105,7 @@ public void setPassword(String password) {
@Column(nullable = true)
private Date authTokenIssueDate;

@JsonIgnore
@Column(nullable = true)
private String apiToken;

Expand Down
18 changes: 9 additions & 9 deletions managed/src/test/java/com/yugabyte/yw/models/UsersTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -3,24 +3,15 @@
package com.yugabyte.yw.models;

import com.fasterxml.jackson.databind.JsonNode;
import com.yugabyte.yw.common.ApiUtils;
import com.yugabyte.yw.common.ModelFactory;
import com.yugabyte.yw.forms.UniverseDefinitionTaskParams;
import org.apache.commons.lang3.RandomStringUtils;
import org.junit.Before;
import org.junit.Test;
import org.mindrot.jbcrypt.BCrypt;
import play.libs.Json;

import com.yugabyte.yw.common.FakeDBApplication;

import javax.persistence.PersistenceException;

import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import java.util.UUID;

import static com.yugabyte.yw.models.Users.Role;
import static org.junit.Assert.*;

Expand Down Expand Up @@ -136,4 +127,13 @@ public void testSetRole() {
assertEquals(fetchUser.getRole(), Role.ReadOnly);
}

@Test
public void testNoSensitiveDataInJson() {
Users u = Users.create("foo@foo.com", "password", Role.Admin, customer.uuid);
assertNotNull(u.uuid);

JsonNode json = Json.toJson(u);
assertEquals(false, json.has("passwordHash"));
assertEquals(false, json.has("apiToken"));
}
}

0 comments on commit ce47c60

Please sign in to comment.