#10 Password Hashes and API Tokens Returned in Response

Summary: - Removed fields with sensitive data from users information. Test Plan: Scenario. 1. Login YW. 2. Open the browser developers panel; tab 'Network'; type of packets 'XHR'; (captions are from Chrome, could differ for other browsers); 3. In YW: go to 'Profile' (from the dropdown list under the user icon in right upper corner); open tab 'Users'; 4. In developers panel: Find a request ''users", select the "Preview" mode in right panel of the developers panel; check that each user's description (data) doesn't have fields 'passwordHash' and 'apiToken' (see the picture). {F14340} Reviewers: daniel Reviewed By: daniel Subscribers: jenkins-bot, yugaware, wesley Differential Revision: https://phabricator.dev.yugabyte.com/D9785
yugabyte · Oct 29, 2020 · ce47c60 · ce47c60
1 parent c1462a1
commit ce47c60
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 12 deletions.
diff --git a/managed/src/main/java/com/yugabyte/yw/models/Users.java b/managed/src/main/java/com/yugabyte/yw/models/Users.java
@@ -11,8 +11,6 @@
 import javax.persistence.Entity;
 import javax.persistence.Enumerated;
 import javax.persistence.EnumType;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
 import javax.persistence.Id;
 
 import org.joda.time.DateTime;
@@ -26,7 +24,6 @@
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
-import com.google.common.base.Joiner;
 
 import play.data.validation.Constraints;
 import play.libs.Json;
@@ -91,6 +88,7 @@ public String getEmail() {
     return this.email;
   }
 
+  @JsonIgnore
   @Column(length = 256, nullable = false)
   public String passwordHash;
 
@@ -107,6 +105,7 @@ public void setPassword(String password) {
   @Column(nullable = true)
   private Date authTokenIssueDate;
 
+  @JsonIgnore
   @Column(nullable = true)
   private String apiToken;
 

diff --git a/managed/src/test/java/com/yugabyte/yw/models/UsersTest.java b/managed/src/test/java/com/yugabyte/yw/models/UsersTest.java
@@ -3,24 +3,15 @@
 package com.yugabyte.yw.models;
 
 import com.fasterxml.jackson.databind.JsonNode;
-import com.yugabyte.yw.common.ApiUtils;
 import com.yugabyte.yw.common.ModelFactory;
-import com.yugabyte.yw.forms.UniverseDefinitionTaskParams;
-import org.apache.commons.lang3.RandomStringUtils;
 import org.junit.Before;
 import org.junit.Test;
-import org.mindrot.jbcrypt.BCrypt;
 import play.libs.Json;
 
 import com.yugabyte.yw.common.FakeDBApplication;
 
 import javax.persistence.PersistenceException;
 
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.UUID;
-
 import static com.yugabyte.yw.models.Users.Role;
 import static org.junit.Assert.*;
 
@@ -136,4 +127,13 @@ public void testSetRole() {
     assertEquals(fetchUser.getRole(), Role.ReadOnly);
   }
 
+  @Test
+  public void testNoSensitiveDataInJson() {
+    Users u = Users.create("[email protected]", "password", Role.Admin, customer.uuid);
+    assertNotNull(u.uuid);
+
+    JsonNode json = Json.toJson(u);
+    assertEquals(false, json.has("passwordHash"));
+    assertEquals(false, json.has("apiToken"));
+  }
 }