Security : don't send back password hash

e9a50fb4 · Alexis POYEN · f6827e83 · e9a50fb4 · e9a50fb4 · e9a50fb4
Commit e9a50fb4 authored May 04, 2020 by Alexis POYEN
--- a/internal/rootmux/admin_test.go
+++ b/internal/rootmux/admin_test.go
@@ -64,9 +64,9 @@ func AdminTests(t *testing.T) {
 		xsrfHeader := tester.Header{Key: "XSRF-TOKEN", Value: token.XSRFToken}

 		// Create a Client
-		do("POST", apiAdminUsers, xsrfHeader, `{"login":"UserTest","password": "password","role":"CLIENT"}`, 200, `{"id":7,"idOAuth":"","login":"UserTest","role":"CLIENT","passwordHash":"`)
+		do("POST", apiAdminUsers, xsrfHeader, `{"login":"UserTest","password": "password","role":"CLIENT"}`, 200, `{"id":7,"idOAuth":"","login":"UserTest","role":"CLIENT"`)
 		// Create a Banker
-		do("POST", apiAdminUsers, xsrfHeader, `{"login":"BankerTest","password": "password","role":"BANKER"}`, 200, `{"id":8,"idOAuth":"","login":"BankerTest","role":"BANKER","passwordHash":"`)
+		do("POST", apiAdminUsers, xsrfHeader, `{"login":"BankerTest","password": "password","role":"BANKER"}`, 200, `{"id":8,"idOAuth":"","login":"BankerTest","role":"BANKER"`)
 		// Get all users
 		do("GET", apiAdminUsers, xsrfHeader, ``, 200, `[{"id":1,"idOAuth":"","login":"Dupond"`)
 		// Delete created users

--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -32,7 +32,7 @@ type User struct {
 	IsAdmin      bool   `json:"isAdmin,omitempty"`
 	Name         string `json:"name,omitempty"`
 	Surname      string `json:"surname,omitempty"`
-	PasswordHash string `json:"passwordHash,omitempty"`
+	PasswordHash string `json:"-"`
 	Password     string `json:"password,omitempty"`
 }


--- a/pkg/auth/inmemory.go
+++ b/pkg/auth/inmemory.go
@@ -97,7 +97,7 @@ func (d *DataHandler) AddUser(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 	// Encrypt the password with bcrypt
-	if newUser.Password == "" && newUser.PasswordHash == "" {
+	if newUser.Password == "" {
 		http.Error(w, "passwords cannot be blank", 400)
 		return
 	}
@@ -154,11 +154,6 @@ func (d *DataHandler) UpdateUser(w http.ResponseWriter, req *http.Request) {
 		user.Name = newUser.Name
 		user.Surname = newUser.Surname
 		user.Role = newUser.Role
-		// Encrypt the password with bcrypt if appropriate
-		if newUser.Password == "" && newUser.PasswordHash == "" {
-			http.Error(w, "passwords cannot be blank", http.StatusBadRequest)
-			return
-		}
 		if newUser.Password != "" {
 			hash, err := bcrypt.GenerateFromPassword([]byte(newUser.Password), bcrypt.DefaultCost)
 			if err != nil {