Enhancement: Limit data send back to the browser for valid session.

2020-02-12 15:25:31 +01:00 · 2020-02-12 15:25:31 +01:00 · e78af42b3c
parent 7a78645e3b
commit e78af42b3c
3 changed files with 29 additions and 4 deletions
--- a/app/models/application_model/can_associations.rb
+++ b/app/models/application_model/can_associations.rb
@ -236,9 +236,7 @@ returns

  def filter_attributes(attributes)
    # remove forbidden attributes
-    %w[password token tokens token_ids].each do |item|
-      attributes.delete(item)
-    end
+    attributes.except!('password', 'token', 'tokens', 'token_ids')
  end

 =begin
--- a/lib/session_helper.rb
+++ b/lib/session_helper.rb
@ -3,7 +3,7 @@ module SessionHelper
    collections, assets = default_collections(user)

    {
-      session:     user,
+      session:     user.filter_attributes(user.attributes),
      models:      models(user),
      collections: collections,
      assets:      assets,
--- a/spec/requests/session_spec.rb
+++ b/spec/requests/session_spec.rb
@ -2,6 +2,33 @@ require 'rails_helper'

 RSpec.describe 'Sessions endpoints', type: :request do

+  describe 'GET /signshow' do
+
+    context 'user logged in' do
+
+      subject(:user) { create(:agent_user, password: password) }
+
+      let(:password) { SecureRandom.urlsafe_base64(20) }
+      let(:fingerprint) { SecureRandom.urlsafe_base64(40) }
+
+      before do
+        params = {
+          fingerprint: fingerprint,
+          username:    user.login,
+          password:    password
+        }
+        post '/api/v1/signin', params: params, as: :json
+      end
+
+      it 'leaks no sensitive data' do
+        params = { fingerprint: fingerprint }
+        get '/api/v1/signshow', params: params, as: :json
+
+        expect(json_response['session']).not_to include('password')
+      end
+    end
+  end
+
  describe 'GET /auth/sso (single sign-on)' do
    context 'with invalid user login' do
      let(:login) { User.pluck(:login).max.next }