Skip to content

GitLab

Commit e9a50fb4 authored by Alexis POYEN's avatar Alexis POYEN
Browse files

Security : don't send back password hash

parent f6827e83
Hide whitespace changes
Inline Side-by-side
internal/rootmux/admin_test.go
View file @ e9a50fb4
......@@ -64,9 +64,9 @@ func AdminTests(t *testing.T) {
xsrfHeader := tester.Header{Key: "XSRF-TOKEN", Value: token.XSRFToken}
// Create a Client
do("POST", apiAdminUsers, xsrfHeader, `{"login":"UserTest","password": "password","role":"CLIENT"}`, 200, `{"id":7,"idOAuth":"","login":"UserTest","role":"CLIENT","passwordHash":"`)
do("POST", apiAdminUsers, xsrfHeader, `{"login":"UserTest","password": "password","role":"CLIENT"}`, 200, `{"id":7,"idOAuth":"","login":"UserTest","role":"CLIENT"`)
// Create a Banker
do("POST", apiAdminUsers, xsrfHeader, `{"login":"BankerTest","password": "password","role":"BANKER"}`, 200, `{"id":8,"idOAuth":"","login":"BankerTest","role":"BANKER","passwordHash":"`)
do("POST", apiAdminUsers, xsrfHeader, `{"login":"BankerTest","password": "password","role":"BANKER"}`, 200, `{"id":8,"idOAuth":"","login":"BankerTest","role":"BANKER"`)
// Get all users
do("GET", apiAdminUsers, xsrfHeader, ``, 200, `[{"id":1,"idOAuth":"","login":"Dupond"`)
// Delete created users
......
pkg/auth/auth.go
View file @ e9a50fb4
......@@ -32,7 +32,7 @@ type User struct {
IsAdmin bool `json:"isAdmin,omitempty"`
Name string `json:"name,omitempty"`
Surname string `json:"surname,omitempty"`
PasswordHash string `json:"passwordHash,omitempty"`
PasswordHash string `json:"-"`
Password string `json:"password,omitempty"`
}
......
pkg/auth/inmemory.go
View file @ e9a50fb4
......@@ -97,7 +97,7 @@ func (d *DataHandler) AddUser(w http.ResponseWriter, req *http.Request) {
return
}
// Encrypt the password with bcrypt
if newUser.Password == "" && newUser.PasswordHash == "" {
if newUser.Password == "" {
http.Error(w, "passwords cannot be blank", 400)
return
}
......@@ -154,11 +154,6 @@ func (d *DataHandler) UpdateUser(w http.ResponseWriter, req *http.Request) {
user.Name = newUser.Name
user.Surname = newUser.Surname
user.Role = newUser.Role
// Encrypt the password with bcrypt if appropriate
if newUser.Password == "" && newUser.PasswordHash == "" {
http.Error(w, "passwords cannot be blank", http.StatusBadRequest)
return
}
if newUser.Password != "" {
hash, err := bcrypt.GenerateFromPassword([]byte(newUser.Password), bcrypt.DefaultCost)
if err != nil {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment