From 8627d5790651f6748cd6e2c398398e5f7b638db7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= <git@roschaefer.de>
Date: Thu, 4 Apr 2019 18:02:48 +0200
Subject: [PATCH] Don't expose private RSA key

cc @Tirokk
---
 backend/src/middleware/passwordMiddleware.js    | 9 +++++++--
 backend/src/middleware/permissionsMiddleware.js | 3 ++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/backend/src/middleware/passwordMiddleware.js b/backend/src/middleware/passwordMiddleware.js
index 0aff222c8..0523d08dd 100644
--- a/backend/src/middleware/passwordMiddleware.js
+++ b/backend/src/middleware/passwordMiddleware.js
@@ -11,10 +11,15 @@ export default {
     }
   },
   Query: async (resolve, root, args, context, info) => {
-    const result = await resolve(root, args, context, info)
-    return walkRecursive(result, ['password'], () => {
+    let result = await resolve(root, args, context, info)
+    result = walkRecursive(result, ['password'], () => {
       // replace password with asterisk
       return '*****'
     })
+    result = walkRecursive(result, ['privateKey'], () => {
+      // replace password with asterisk
+      return '*****'
+    })
+    return result
   }
 }
diff --git a/backend/src/middleware/permissionsMiddleware.js b/backend/src/middleware/permissionsMiddleware.js
index 736ce20a9..f51051b19 100644
--- a/backend/src/middleware/permissionsMiddleware.js
+++ b/backend/src/middleware/permissionsMiddleware.js
@@ -73,7 +73,8 @@ const permissions = shield({
   },
   User: {
     email: isMyOwn,
-    password: isMyOwn
+    password: isMyOwn,
+    privateKey: isMyOwn
   }
 })