Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent creation of admins when username unknown #229

Merged
merged 3 commits into from
Apr 21, 2023
Merged

Prevent creation of admins when username unknown #229

merged 3 commits into from
Apr 21, 2023

Conversation

dbernstein
Copy link
Contributor

@dbernstein dbernstein commented Apr 20, 2023
edited
Loading

Description

While testing the registry I noticed that logging in using a username that is not in the database causes a record to be created with an empty password hash. Attempting to log in with the same credentials then results in a 500 since attempts to validate a user with no password hash breaks the authentication.

This PR ensures that a new admin user is created only when there are no admins in the database (ie on first access). After that logging in with a random user and password does not result in a new admin user being added to the database.

It also includes an alembic migration to remove any admin users with empty or null password fields.

Motivation and Context

Notion

How Has This Been Tested?

Manually tested and unit test verifies fix.

Checklist

  • I have updated the documentation accordingly.
  • All new and existing tests passed.

@dbernstein dbernstein requested a review from a team April 20, 2023 21:25
RishiDiwanTT
RishiDiwanTT approved these changes Apr 21, 2023
View reviewed changes
Copy link
Contributor

@RishiDiwanTT RishiDiwanTT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Looks Good

@dbernstein dbernstein merged commit 4fbb37a into main Apr 21, 2023
@dbernstein dbernstein deleted the prevent-creation-of-admins-when-username-unknown branch April 21, 2023 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RishiDiwanTT RishiDiwanTT RishiDiwanTT approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dbernstein @RishiDiwanTT