mirror of
https://github.com/Ocelot-Social-Community/Ocelot-Social.git
synced 2025-12-13 07:46:06 +00:00
Merge pull request #406 from Human-Connection/keep_private_rsa_key_secret
Don't expose private RSA key
This commit is contained in:
Robert Schäfer
GitHub
commit
c1d6caca38
@ -11,10 +11,11 @@ export default {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
Query: async (resolve, root, args, context, info) => {
|
Query: async (resolve, root, args, context, info) => {
|
||||||
const result = await resolve(root, args, context, info)
|
let result = await resolve(root, args, context, info)
|
||||||
return walkRecursive(result, ['password'], () => {
|
result = walkRecursive(result, ['password', 'privateKey'], () => {
|
||||||
// replace password with asterisk
|
// replace password with asterisk
|
||||||
return '*****'
|
return '*****'
|
||||||
})
|
})
|
||||||
|
return result
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -90,7 +90,8 @@ const permissions = shield({
|
|||||||
},
|
},
|
||||||
User: {
|
User: {
|
||||||
email: isMyOwn,
|
email: isMyOwn,
|
||||||
password: isMyOwn
|
password: isMyOwn,
|
||||||
|
privateKey: isMyOwn
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|||||||
@ -1,3 +1,4 @@
|
|||||||
|
import gql from 'graphql-tag'
|
||||||
import Factory from '../seed/factories'
|
import Factory from '../seed/factories'
|
||||||
import { GraphQLClient, request } from 'graphql-request'
|
import { GraphQLClient, request } from 'graphql-request'
|
||||||
import jwt from 'jsonwebtoken'
|
import jwt from 'jsonwebtoken'
|
||||||
@ -254,7 +255,7 @@ describe('change password', () => {
|
|||||||
}
|
}
|
||||||
|
|
||||||
describe('should be authenticated before changing password', () => {
|
describe('should be authenticated before changing password', () => {
|
||||||
it('throws not "Not Authorised!', async () => {
|
it('throws "Not Authorised!"', async () => {
|
||||||
await expect(
|
await expect(
|
||||||
request(
|
request(
|
||||||
host,
|
host,
|
||||||
@ -309,3 +310,97 @@ describe('change password', () => {
|
|||||||
})
|
})
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
describe('do not expose private RSA key', () => {
|
||||||
|
let headers
|
||||||
|
let client
|
||||||
|
const queryUserPuplicKey = gql`
|
||||||
|
query($queriedUserSlug: String) {
|
||||||
|
User(slug: $queriedUserSlug) {
|
||||||
|
id
|
||||||
|
publicKey
|
||||||
|
}
|
||||||
|
}`
|
||||||
|
const queryUserPrivateKey = gql`
|
||||||
|
query($queriedUserSlug: String) {
|
||||||
|
User(slug: $queriedUserSlug) {
|
||||||
|
id
|
||||||
|
privateKey
|
||||||
|
}
|
||||||
|
}`
|
||||||
|
|
||||||
|
const actionGenUserWithKeys = async () => {
|
||||||
|
// Generate user with "privateKey" via 'CreateUser' mutation instead of using the factories "factory.create('User', {...})", see above.
|
||||||
|
const variables = {
|
||||||
|
id: 'bcb2d923-f3af-479e-9f00-61b12e864667',
|
||||||
|
password: 'xYz',
|
||||||
|
slug: 'apfel-strudel',
|
||||||
|
name: 'Apfel Strudel',
|
||||||
|
email: 'apfel-strudel@test.org'
|
||||||
|
}
|
||||||
|
await client.request(gql`
|
||||||
|
mutation($id: ID, $password: String!, $slug: String, $name: String, $email: String) {
|
||||||
|
CreateUser(id: $id, password: $password, slug: $slug, name: $name, email: $email) {
|
||||||
|
id
|
||||||
|
}
|
||||||
|
}`, variables
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
// not authenticate
|
||||||
|
beforeEach(async () => {
|
||||||
|
client = new GraphQLClient(host)
|
||||||
|
})
|
||||||
|
|
||||||
|
describe('unauthenticated query of "publicKey" (does the RSA key pair get generated at all?)', () => {
|
||||||
|
it('returns publicKey', async () => {
|
||||||
|
await actionGenUserWithKeys()
|
||||||
|
await expect(
|
||||||
|
await client.request(queryUserPuplicKey, { queriedUserSlug: 'apfel-strudel' })
|
||||||
|
).toEqual(expect.objectContaining({
|
||||||
|
User: [{
|
||||||
|
id: 'bcb2d923-f3af-479e-9f00-61b12e864667',
|
||||||
|
publicKey: expect.any(String)
|
||||||
|
}]
|
||||||
|
}))
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
describe('unauthenticated query of "privateKey"', () => {
|
||||||
|
it('throws "Not Authorised!"', async () => {
|
||||||
|
await actionGenUserWithKeys()
|
||||||
|
await expect(
|
||||||
|
client.request(queryUserPrivateKey, { queriedUserSlug: 'apfel-strudel' })
|
||||||
|
).rejects.toThrow('Not Authorised')
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
// authenticate
|
||||||
|
beforeEach(async () => {
|
||||||
|
headers = await login({ email: 'test@example.org', password: '1234' })
|
||||||
|
client = new GraphQLClient(host, { headers })
|
||||||
|
})
|
||||||
|
|
||||||
|
describe('authenticated query of "publicKey"', () => {
|
||||||
|
it('returns publicKey', async () => {
|
||||||
|
await actionGenUserWithKeys()
|
||||||
|
await expect(
|
||||||
|
await client.request(queryUserPuplicKey, { queriedUserSlug: 'apfel-strudel' })
|
||||||
|
).toEqual(expect.objectContaining({
|
||||||
|
User: [{
|
||||||
|
id: 'bcb2d923-f3af-479e-9f00-61b12e864667',
|
||||||
|
publicKey: expect.any(String)
|
||||||
|
}]
|
||||||
|
}))
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
describe('authenticated query of "privateKey"', () => {
|
||||||
|
it('throws "Not Authorised!"', async () => {
|
||||||
|
await actionGenUserWithKeys()
|
||||||
|
await expect(
|
||||||
|
client.request(queryUserPrivateKey, { queriedUserSlug: 'apfel-strudel' })
|
||||||
|
).rejects.toThrow('Not Authorised')
|
||||||
|
})
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user