From e9a50fb435d94607b9c72516c50d8150d1df3195 Mon Sep 17 00:00:00 2001
From: Alexis Poyen <apoyen@mail.apoyen.fr>
Date: Mon, 4 May 2020 10:52:48 +0200
Subject: [PATCH] Security : don't send back password hash

---
 internal/rootmux/admin_test.go | 4 ++--
 pkg/auth/auth.go               | 2 +-
 pkg/auth/inmemory.go           | 7 +------
 3 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/internal/rootmux/admin_test.go b/internal/rootmux/admin_test.go
index 945d11f..7c801a3 100644
--- a/internal/rootmux/admin_test.go
+++ b/internal/rootmux/admin_test.go
@@ -64,9 +64,9 @@ func AdminTests(t *testing.T) {
 		xsrfHeader := tester.Header{Key: "XSRF-TOKEN", Value: token.XSRFToken}
 
 		// Create a Client
-		do("POST", apiAdminUsers, xsrfHeader, `{"login":"UserTest","password": "password","role":"CLIENT"}`, 200, `{"id":7,"idOAuth":"","login":"UserTest","role":"CLIENT","passwordHash":"`)
+		do("POST", apiAdminUsers, xsrfHeader, `{"login":"UserTest","password": "password","role":"CLIENT"}`, 200, `{"id":7,"idOAuth":"","login":"UserTest","role":"CLIENT"`)
 		// Create a Banker
-		do("POST", apiAdminUsers, xsrfHeader, `{"login":"BankerTest","password": "password","role":"BANKER"}`, 200, `{"id":8,"idOAuth":"","login":"BankerTest","role":"BANKER","passwordHash":"`)
+		do("POST", apiAdminUsers, xsrfHeader, `{"login":"BankerTest","password": "password","role":"BANKER"}`, 200, `{"id":8,"idOAuth":"","login":"BankerTest","role":"BANKER"`)
 		// Get all users
 		do("GET", apiAdminUsers, xsrfHeader, ``, 200, `[{"id":1,"idOAuth":"","login":"Dupond"`)
 		// Delete created users
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index ec1bf13..8ea2fab 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -32,7 +32,7 @@ type User struct {
 	IsAdmin      bool   `json:"isAdmin,omitempty"`
 	Name         string `json:"name,omitempty"`
 	Surname      string `json:"surname,omitempty"`
-	PasswordHash string `json:"passwordHash,omitempty"`
+	PasswordHash string `json:"-"`
 	Password     string `json:"password,omitempty"`
 }
 
diff --git a/pkg/auth/inmemory.go b/pkg/auth/inmemory.go
index 870944e..140ddc1 100644
--- a/pkg/auth/inmemory.go
+++ b/pkg/auth/inmemory.go
@@ -97,7 +97,7 @@ func (d *DataHandler) AddUser(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 	// Encrypt the password with bcrypt
-	if newUser.Password == "" && newUser.PasswordHash == "" {
+	if newUser.Password == "" {
 		http.Error(w, "passwords cannot be blank", 400)
 		return
 	}
@@ -154,11 +154,6 @@ func (d *DataHandler) UpdateUser(w http.ResponseWriter, req *http.Request) {
 		user.Name = newUser.Name
 		user.Surname = newUser.Surname
 		user.Role = newUser.Role
-		// Encrypt the password with bcrypt if appropriate
-		if newUser.Password == "" && newUser.PasswordHash == "" {
-			http.Error(w, "passwords cannot be blank", http.StatusBadRequest)
-			return
-		}
 		if newUser.Password != "" {
 			hash, err := bcrypt.GenerateFromPassword([]byte(newUser.Password), bcrypt.DefaultCost)
 			if err != nil {
-- 
GitLab