From f198214882d27c8902d20643200845c6ead8eb9b Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Mon, 25 Nov 2024 09:52:33 -0500 Subject: [PATCH] Mark passwords as sensitive variables #11652 --- arches/app/views/api/auth.py | 2 ++ arches/app/views/auth.py | 9 ++++++++- releases/8.0.0.md | 1 + 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/arches/app/views/api/auth.py b/arches/app/views/api/auth.py index 6f95f5b759c..e01c8abb0c7 100644 --- a/arches/app/views/api/auth.py +++ b/arches/app/views/api/auth.py @@ -4,6 +4,7 @@ from django.contrib.auth import authenticate, login, logout from django.utils.decorators import method_decorator from django.utils.translation import gettext as _ +from django.views.decorators.debug import sensitive_variables from django_ratelimit.decorators import ratelimit from arches.app.models.system_settings import settings @@ -17,6 +18,7 @@ class Login(LoginView, APIBase): http_method_names = ["post"] + @sensitive_variables() @method_decorator( ratelimit(key="post:username", rate=settings.RATE_LIMIT, block=False) ) diff --git a/arches/app/views/auth.py b/arches/app/views/auth.py index 4bc74ac2d17..e29d0e2fe0c 100644 --- a/arches/app/views/auth.py +++ b/arches/app/views/auth.py @@ -19,7 +19,6 @@ import base64 import io -from django.http import response from arches.app.utils.external_oauth_backend import ExternalOauthAuthenticationBackend import qrcode import pyotp @@ -33,6 +32,7 @@ from django.utils.decorators import method_decorator from django.views.decorators.cache import never_cache from django.views.decorators.csrf import csrf_exempt +from django.views.decorators.debug import sensitive_variables from django.utils.html import strip_tags from django.utils.translation import gettext as _ from django.utils.http import urlencode @@ -87,6 +87,7 @@ def get(self, request): }, ) + @sensitive_variables() @method_decorator( ratelimit( key="post:username", @@ -369,6 +370,7 @@ def get(self, request): } return JSONResponse(messages) + @sensitive_variables() @method_decorator(ratelimit(key="user", rate=settings.RATE_LIMIT, block=False)) def post(self, request): messages = { @@ -425,6 +427,7 @@ class PasswordResetConfirmView(auth_views.PasswordResetConfirmView): @method_decorator(csrf_exempt, name="dispatch") class UserProfileView(View): + @sensitive_variables() @method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT)) def post(self, request): username = request.POST.get("username", None) @@ -446,6 +449,7 @@ def post(self, request): @method_decorator(csrf_exempt, name="dispatch") class GetClientIdView(View): + @sensitive_variables() @method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT)) def post(self, request): if settings.OAUTH_CLIENT_ID == "": @@ -465,6 +469,7 @@ def post(self, request): @method_decorator(csrf_exempt, name="dispatch") class ServerSettingView(View): + @sensitive_variables() @method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT)) def post(self, request): if settings.OAUTH_CLIENT_ID == "": @@ -573,6 +578,7 @@ def post(self, request): @method_decorator(never_cache, name="dispatch") class TwoFactorAuthenticationLoginView(View): + @sensitive_variables() def post(self, request): username = request.POST.get("username", None) password = request.POST.get("password", None) @@ -718,6 +724,7 @@ def post(self, request): @method_decorator(csrf_exempt, name="dispatch") class Token(View): + @sensitive_variables() def get(self, request): if settings.DEBUG: data = { diff --git a/releases/8.0.0.md b/releases/8.0.0.md index 91189c8d23c..cab180e5173 100644 --- a/releases/8.0.0.md +++ b/releases/8.0.0.md @@ -20,6 +20,7 @@ Arches 8.0.0 Release Notes ### Additional highlights - Add session-based REST APIs for login, logout [#11261](https://github.com/archesproject/arches/issues/11261) - Add system check advising next action when enabling additional languages without updating graphs [#10079](https://github.com/archesproject/arches/issues/10079) +- Auth views now filter out passwords from error reports when running in production [#11652](https://github.com/archesproject/arches/issues/11652) - Improve handling of longer model names [#11317](https://github.com/archesproject/arches/issues/11317) - Support more expressive plugin URLs [#11320](https://github.com/archesproject/arches/issues/11320) - Make node aliases not nullable [#10437](https://github.com/archesproject/arches/issues/10437)