Merge pull request #786 from datacite/jwt-issue

Remove password from jwt.
datacite · Feb 25, 2022 · 38914d9 · 38914d9
2 parents 5033e99 + f30fac5
commit 38914d9
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 19 deletions.
diff --git a/app/models/concerns/authenticable.rb b/app/models/concerns/authenticable.rb
@@ -192,11 +192,8 @@ def get_payload(uid: nil, user: nil, password: nil)
 
       # we only need password for clients registering DOIs in the handle system
       if uid.include? "."
-        payload.merge!(
-          "provider_id" => user.provider_id,
-          "client_id" => uid,
-          "password" => password,
-        )
+        payload["provider_id"] = user.provider_id
+        payload["client_id"] = uid
       elsif uid != "admin"
         payload["provider_id"] = uid
       end
@@ -311,7 +308,6 @@ def generate_token(attributes = {})
         provider_id: attributes.fetch(:provider_id, nil),
         client_id: attributes.fetch(:client_id, nil),
         role_id: attributes.fetch(:role_id, "staff_admin"),
-        password: attributes.fetch(:password, nil),
         beta_tester: attributes.fetch(:beta_tester, nil),
         has_orcid_token: attributes.fetch(:has_orcid_token, nil),
         aud: attributes.fetch(:aud, Rails.env),
@@ -334,7 +330,6 @@ def generate_alb_token(attributes = {})
         provider_id: attributes.fetch(:provider_id, nil),
         client_id: attributes.fetch(:client_id, nil),
         role_id: attributes.fetch(:role_id, "user"),
-        password: attributes.fetch(:password, nil),
         aud: Rails.env,
         iat: Time.now.to_i,
         exp: Time.now.to_i + attributes.fetch(:exp, 30),
@@ -361,11 +356,8 @@ def get_payload(uid: nil, user: nil, password: nil)
 
       # we only need password for clients registering DOIs in the handle system
       if uid.include? "."
-        payload.merge!(
-          "provider_id" => user.provider_id,
-          "client_id" => uid,
-          "password" => password,
-        )
+        payload["provider_id"] = user.provider_id
+        payload["client_id"] = uid
       elsif uid != "admin"
         payload["provider_id"] = uid
       end

diff --git a/spec/concerns/authenticable_spec.rb b/spec/concerns/authenticable_spec.rb
@@ -394,7 +394,6 @@
         "uid" => subject.symbol.downcase,
         "name" => subject.name,
         "email" => subject.system_email,
-        "password" => "12345",
         "role_id" => "client_admin",
         "provider_id" => subject.provider_id,
         "client_id" => subject.symbol.downcase,
@@ -403,20 +402,22 @@
   end
 
   describe "get_payload" do
+    let (:payload) { subject.get_payload(
+      uid: subject.symbol.downcase, user: subject, password: 12_345,
+    ) }
     it "works" do
-      expect(
-        subject.get_payload(
-          uid: subject.symbol.downcase, user: subject, password: 12_345,
-        ),
-      ).to eq(
+      expect(payload).to eq(
         "uid" => subject.symbol.downcase,
         "name" => subject.name,
         "email" => subject.system_email,
-        "password" => 12_345,
         "role_id" => "client_admin",
         "provider_id" => subject.provider_id,
         "client_id" => subject.symbol.downcase,
       )
     end
+
+    it "does not contain password" do
+      expect(payload).to include("role_id")
+    end
   end
 end