Remove password from jwt. Review mods.

datacite · Feb 25, 2022 · f30fac5 · f30fac5
1 parent fc039b4
commit f30fac5
Showing 1 changed file with 2 additions and 7 deletions.
diff --git a/app/models/concerns/authenticable.rb b/app/models/concerns/authenticable.rb
@@ -308,7 +308,6 @@ def generate_token(attributes = {})
         provider_id: attributes.fetch(:provider_id, nil),
         client_id: attributes.fetch(:client_id, nil),
         role_id: attributes.fetch(:role_id, "staff_admin"),
-        password: attributes.fetch(:password, nil),
         beta_tester: attributes.fetch(:beta_tester, nil),
         has_orcid_token: attributes.fetch(:has_orcid_token, nil),
         aud: attributes.fetch(:aud, Rails.env),
@@ -331,7 +330,6 @@ def generate_alb_token(attributes = {})
         provider_id: attributes.fetch(:provider_id, nil),
         client_id: attributes.fetch(:client_id, nil),
         role_id: attributes.fetch(:role_id, "user"),
-        password: attributes.fetch(:password, nil),
         aud: Rails.env,
         iat: Time.now.to_i,
         exp: Time.now.to_i + attributes.fetch(:exp, 30),
@@ -358,11 +356,8 @@ def get_payload(uid: nil, user: nil, password: nil)
 
       # we only need password for clients registering DOIs in the handle system
       if uid.include? "."
-        payload.merge!(
-          "provider_id" => user.provider_id,
-          "client_id" => uid,
-          "password" => password,
-        )
+        payload["provider_id"] = user.provider_id
+        payload["client_id"] = uid
       elsif uid != "admin"
         payload["provider_id"] = uid
       end