Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PATCHing an account will change its password #2058

Closed
magopian opened this issue Feb 22, 2019 · 0 comments · Fixed by #2229
Closed

PATCHing an account will change its password #2058

magopian opened this issue Feb 22, 2019 · 0 comments · Fixed by #2229
Labels
bug

Comments

@magopian
Copy link
Contributor

magopian commented Feb 22, 2019
edited
Loading

If the password isn't provided in a PATCH to the accounts endpoint, the password will be automatically changed (to what?). Proof:

$ http GET https://kinto-dev.classea12.beta.gouv.fr/v1/accounts/[email protected] --auth #<REDACTED>#

HTTP/1.1 200 OK
Access-Control-Expose-Headers: Pragma, Backoff, Alert, Expires, Content-Length, Cache-Control, Last-Modified, ETag, Retry-After
Cache-Control: no-cache, no-store
Content-Length: 275
Content-Type: application/json
Date: Fri, 22 Feb 2019 17:28:51 GMT
ETag: "1550772518933"
Last-Modified: Thu, 21 Feb 2019 18:08:38 GMT
Via: 1.1 alproxy
X-Content-Type-Options: nosniff

{
    "data": {
        "id": "[email protected]",
        "last_modified": 1550772518933,
        "password": "$2b$12$S.foDbLWg75zCCOgTyb9POXmH67mcGkZin584hgEFyLYoCJcv2Bfa",
        "profile": "c8ba193d-f989-48ae-a95d-1941d2d44897",
        "validated": true
    },
    "permissions": {
        "write": [
            "account:[email protected]"
        ]
    }
}

Now let's do a patch:

$ echo '{"data": { "foo": "bar"}}' | http PATCH https://kinto-dev.classea12.beta.gouv.fr/v1/accounts/[email protected] --auth #<REDACTED>#

HTTP/1.1 200 OK
Access-Control-Expose-Headers: Retry-After, Backoff, Alert, Content-Length
Content-Length: 287
Content-Type: application/json
Date: Fri, 22 Feb 2019 17:40:07 GMT
ETag: "1550857207387"
Last-Modified: Fri, 22 Feb 2019 17:40:07 GMT
Via: 1.1 alproxy
X-Content-Type-Options: nosniff

{
    "data": {
        "foo": "bar",
        "id": "[email protected]",
        "last_modified": 1550857207387,
        "password": "$2b$12$ShdFHEEyhRgDgfP4S8x6j.0otOhnKjbkca4yQ7IXQP.x6kHlvER.G",
        "profile": "c8ba193d-f989-48ae-a95d-1941d2d44897",
        "validated": true
    },
    "permissions": {
        "write": [
            "account:[email protected]"
        ]
    }
}

Notice that we did not provide a password in the data, but still the final hash is not the same as the one we had before. It's now impossible to use this account, unless PATCHing it again with an admin account, and this time around providing the password in the data.
@magopian magopian added the bug label Feb 22, 2019
leplatrem added a commit that referenced this issue Aug 13, 2019
@leplatrem
Prevent password to be modified on modification of accounts metadata (f…
03ddef5 
…ixes #2058)
@leplatrem leplatrem mentioned this issue Aug 13, 2019
Merged
leplatrem added a commit that referenced this issue Aug 13, 2019
@leplatrem
Merge pull request #2229 from Kinto/2058-patch-account
3108c2a 
Prevent password to be modified on modification of accounts metadata (fixes #2058)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevent password to be modified on modification of accounts metadata (fixes #2058) Kinto/kinto
1 participant
@magopian