Merge pull request #406 from Human-Connection/keep_private_rsa_key_secret

Don't expose private RSA key
2025-12-13 07:46:06 +00:00 · 2019-04-12 20:09:31 +02:00 · 2019-04-12 20:09:31 +02:00 · c1d6caca38
commit c1d6caca38
parent 702a239180 aadfd16374
3 changed files with 101 additions and 4 deletions
--- a/backend/src/middleware/passwordMiddleware.js
+++ b/backend/src/middleware/passwordMiddleware.js
@ -11,10 +11,11 @@ export default {
    }
  },
  Query: async (resolve, root, args, context, info) => {
-    const result = await resolve(root, args, context, info)
-    return walkRecursive(result, ['password'], () => {
+    let result = await resolve(root, args, context, info)
+    result = walkRecursive(result, ['password', 'privateKey'], () => {
      // replace password with asterisk
      return '*****'
    })
+    return result
  }
 }
--- a/backend/src/middleware/permissionsMiddleware.js
+++ b/backend/src/middleware/permissionsMiddleware.js
@ -90,7 +90,8 @@ const permissions = shield({
  },
  User: {
    email: isMyOwn,
-    password: isMyOwn
+    password: isMyOwn,
+    privateKey: isMyOwn
  }
 })

--- a/backend/src/resolvers/user_management.spec.js
+++ b/backend/src/resolvers/user_management.spec.js
@ -1,3 +1,4 @@
+import gql from 'graphql-tag'
 import Factory from '../seed/factories'
 import { GraphQLClient, request } from 'graphql-request'
 import jwt from 'jsonwebtoken'
@ -254,7 +255,7 @@ describe('change password', () => {
  }

  describe('should be authenticated before changing password', () => {
-    it('throws not "Not Authorised!', async () => {
+    it('throws "Not Authorised!"', async () => {
      await expect(
        request(
          host,
@ -309,3 +310,97 @@ describe('change password', () => {
    })
  })
 })
+
+describe('do not expose private RSA key', () => {
+  let headers
+  let client
+  const queryUserPuplicKey = gql`
+    query($queriedUserSlug: String) {
+      User(slug: $queriedUserSlug) {
+        id
+        publicKey
+      }
+    }`
+  const queryUserPrivateKey = gql`
+    query($queriedUserSlug: String) {
+      User(slug: $queriedUserSlug) {
+        id
+        privateKey
+      }
+    }`
+
+  const actionGenUserWithKeys = async () => {
+    // Generate user with "privateKey" via 'CreateUser' mutation instead of using the factories "factory.create('User', {...})", see above.
+    const variables = {
+      id: 'bcb2d923-f3af-479e-9f00-61b12e864667',
+      password: 'xYz',
+      slug: 'apfel-strudel',
+      name: 'Apfel Strudel',
+      email: 'apfel-strudel@test.org'
+    }
+    await client.request(gql`
+      mutation($id: ID, $password: String!, $slug: String, $name: String, $email: String) {
+        CreateUser(id: $id, password: $password, slug: $slug, name: $name, email: $email) {
+          id
+        }
+      }`, variables
+    )
+  }
+
+  // not authenticate
+  beforeEach(async () => {
+    client = new GraphQLClient(host)
+  })
+
+  describe('unauthenticated query of "publicKey" (does the RSA key pair get generated at all?)', () => {
+    it('returns publicKey', async () => {
+      await actionGenUserWithKeys()
+      await expect(
+        await client.request(queryUserPuplicKey, { queriedUserSlug: 'apfel-strudel' })
+      ).toEqual(expect.objectContaining({
+        User: [{
+          id: 'bcb2d923-f3af-479e-9f00-61b12e864667',
+          publicKey: expect.any(String)
+        }]
+      }))
+    })
+  })
+
+  describe('unauthenticated query of "privateKey"', () => {
+    it('throws "Not Authorised!"', async () => {
+      await actionGenUserWithKeys()
+      await expect(
+        client.request(queryUserPrivateKey, { queriedUserSlug: 'apfel-strudel' })
+      ).rejects.toThrow('Not Authorised')
+    })
+  })
+
+  // authenticate
+  beforeEach(async () => {
+    headers = await login({ email: 'test@example.org', password: '1234' })
+    client = new GraphQLClient(host, { headers })
+  })
+
+  describe('authenticated query of "publicKey"', () => {
+    it('returns publicKey', async () => {
+      await actionGenUserWithKeys()
+      await expect(
+        await client.request(queryUserPuplicKey, { queriedUserSlug: 'apfel-strudel' })
+      ).toEqual(expect.objectContaining({
+        User: [{
+          id: 'bcb2d923-f3af-479e-9f00-61b12e864667',
+          publicKey: expect.any(String)
+        }]
+      }))
+    })
+  })
+
+  describe('authenticated query of "privateKey"', () => {
+    it('throws "Not Authorised!"', async () => {
+      await actionGenUserWithKeys()
+      await expect(
+        client.request(queryUserPrivateKey, { queriedUserSlug: 'apfel-strudel' })
+      ).rejects.toThrow('Not Authorised')
+    })
+  })
+})