From e78af42b3c979ea10a0a3bbd049041fcf27031bd Mon Sep 17 00:00:00 2001 From: Thorsten Eckel Date: Wed, 12 Feb 2020 15:25:31 +0100 Subject: [PATCH] Enhancement: Limit data send back to the browser for valid session. --- .../application_model/can_associations.rb | 4 +-- lib/session_helper.rb | 2 +- spec/requests/session_spec.rb | 27 +++++++++++++++++++ 3 files changed, 29 insertions(+), 4 deletions(-) diff --git a/app/models/application_model/can_associations.rb b/app/models/application_model/can_associations.rb index 95f55f7ce..0cb97fde8 100644 --- a/app/models/application_model/can_associations.rb +++ b/app/models/application_model/can_associations.rb @@ -236,9 +236,7 @@ returns def filter_attributes(attributes) # remove forbidden attributes - %w[password token tokens token_ids].each do |item| - attributes.delete(item) - end + attributes.except!('password', 'token', 'tokens', 'token_ids') end =begin diff --git a/lib/session_helper.rb b/lib/session_helper.rb index ce1e41774..0bfea263d 100644 --- a/lib/session_helper.rb +++ b/lib/session_helper.rb @@ -3,7 +3,7 @@ module SessionHelper collections, assets = default_collections(user) { - session: user, + session: user.filter_attributes(user.attributes), models: models(user), collections: collections, assets: assets, diff --git a/spec/requests/session_spec.rb b/spec/requests/session_spec.rb index c90981075..84f560676 100644 --- a/spec/requests/session_spec.rb +++ b/spec/requests/session_spec.rb @@ -2,6 +2,33 @@ require 'rails_helper' RSpec.describe 'Sessions endpoints', type: :request do + describe 'GET /signshow' do + + context 'user logged in' do + + subject(:user) { create(:agent_user, password: password) } + + let(:password) { SecureRandom.urlsafe_base64(20) } + let(:fingerprint) { SecureRandom.urlsafe_base64(40) } + + before do + params = { + fingerprint: fingerprint, + username: user.login, + password: password + } + post '/api/v1/signin', params: params, as: :json + end + + it 'leaks no sensitive data' do + params = { fingerprint: fingerprint } + get '/api/v1/signshow', params: params, as: :json + + expect(json_response['session']).not_to include('password') + end + end + end + describe 'GET /auth/sso (single sign-on)' do context 'with invalid user login' do let(:login) { User.pluck(:login).max.next }