From 4f436de13ff5fd58a9ab5875e1877b73a9833de7 Mon Sep 17 00:00:00 2001 From: Suzanne Vogt Date: Wed, 23 Feb 2022 13:50:01 -0500 Subject: [PATCH 1/5] Remove password from jwt. --- app/models/concerns/authenticable.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/app/models/concerns/authenticable.rb b/app/models/concerns/authenticable.rb index e720433f2..28cd5fd4c 100644 --- a/app/models/concerns/authenticable.rb +++ b/app/models/concerns/authenticable.rb @@ -195,7 +195,6 @@ def get_payload(uid: nil, user: nil, password: nil) payload.merge!( "provider_id" => user.provider_id, "client_id" => uid, - "password" => password, ) elsif uid != "admin" payload["provider_id"] = uid From f0345447f99500a39af2a5f67444b39a009056cb Mon Sep 17 00:00:00 2001 From: Suzanne Vogt Date: Wed, 23 Feb 2022 14:12:14 -0500 Subject: [PATCH 2/5] Rubocop. --- app/models/concerns/authenticable.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/app/models/concerns/authenticable.rb b/app/models/concerns/authenticable.rb index 28cd5fd4c..2f6107b08 100644 --- a/app/models/concerns/authenticable.rb +++ b/app/models/concerns/authenticable.rb @@ -192,10 +192,8 @@ def get_payload(uid: nil, user: nil, password: nil) # we only need password for clients registering DOIs in the handle system if uid.include? "." - payload.merge!( - "provider_id" => user.provider_id, - "client_id" => uid, - ) + payload["provider_id"] = user.provider_id + payload["client_id"] = uid elsif uid != "admin" payload["provider_id"] = uid end From 38ab5b05d7a42ed239c6f1b4ffb3ad195368151f Mon Sep 17 00:00:00 2001 From: Suzanne Vogt Date: Wed, 23 Feb 2022 15:08:57 -0500 Subject: [PATCH 3/5] Rspec - fix tests. --- spec/concerns/authenticable_spec.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/spec/concerns/authenticable_spec.rb b/spec/concerns/authenticable_spec.rb index b071995cd..781c6c26d 100644 --- a/spec/concerns/authenticable_spec.rb +++ b/spec/concerns/authenticable_spec.rb @@ -394,7 +394,6 @@ "uid" => subject.symbol.downcase, "name" => subject.name, "email" => subject.system_email, - "password" => "12345", "role_id" => "client_admin", "provider_id" => subject.provider_id, "client_id" => subject.symbol.downcase, @@ -412,7 +411,6 @@ "uid" => subject.symbol.downcase, "name" => subject.name, "email" => subject.system_email, - "password" => 12_345, "role_id" => "client_admin", "provider_id" => subject.provider_id, "client_id" => subject.symbol.downcase, From fc039b4628df46bda83b14af5110d8f88690b52b Mon Sep 17 00:00:00 2001 From: Suzanne Vogt Date: Thu, 24 Feb 2022 01:28:20 -0500 Subject: [PATCH 4/5] Rspec - fix tests. --- spec/concerns/authenticable_spec.rb | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/spec/concerns/authenticable_spec.rb b/spec/concerns/authenticable_spec.rb index 781c6c26d..e5d5a59b2 100644 --- a/spec/concerns/authenticable_spec.rb +++ b/spec/concerns/authenticable_spec.rb @@ -402,12 +402,11 @@ end describe "get_payload" do + let (:payload) { subject.get_payload( + uid: subject.symbol.downcase, user: subject, password: 12_345, + ) } it "works" do - expect( - subject.get_payload( - uid: subject.symbol.downcase, user: subject, password: 12_345, - ), - ).to eq( + expect(payload).to eq( "uid" => subject.symbol.downcase, "name" => subject.name, "email" => subject.system_email, @@ -416,5 +415,9 @@ "client_id" => subject.symbol.downcase, ) end + + it "does not contain password" do + expect(payload).to include("role_id") + end end end From f30fac57a024c2b43dbd519c25c9d1000fb8a86c Mon Sep 17 00:00:00 2001 From: Suzanne Vogt Date: Fri, 25 Feb 2022 09:24:28 -0500 Subject: [PATCH 5/5] Remove password from jwt. Review mods. --- app/models/concerns/authenticable.rb | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/app/models/concerns/authenticable.rb b/app/models/concerns/authenticable.rb index 2f6107b08..a1a86c58f 100644 --- a/app/models/concerns/authenticable.rb +++ b/app/models/concerns/authenticable.rb @@ -308,7 +308,6 @@ def generate_token(attributes = {}) provider_id: attributes.fetch(:provider_id, nil), client_id: attributes.fetch(:client_id, nil), role_id: attributes.fetch(:role_id, "staff_admin"), - password: attributes.fetch(:password, nil), beta_tester: attributes.fetch(:beta_tester, nil), has_orcid_token: attributes.fetch(:has_orcid_token, nil), aud: attributes.fetch(:aud, Rails.env), @@ -331,7 +330,6 @@ def generate_alb_token(attributes = {}) provider_id: attributes.fetch(:provider_id, nil), client_id: attributes.fetch(:client_id, nil), role_id: attributes.fetch(:role_id, "user"), - password: attributes.fetch(:password, nil), aud: Rails.env, iat: Time.now.to_i, exp: Time.now.to_i + attributes.fetch(:exp, 30), @@ -358,11 +356,8 @@ def get_payload(uid: nil, user: nil, password: nil) # we only need password for clients registering DOIs in the handle system if uid.include? "." - payload.merge!( - "provider_id" => user.provider_id, - "client_id" => uid, - "password" => password, - ) + payload["provider_id"] = user.provider_id + payload["client_id"] = uid elsif uid != "admin" payload["provider_id"] = uid end