From e9e2b65729f89e337d83f5ffcb4b11ea7e2b5def Mon Sep 17 00:00:00 2001
From: Luka Vandervelden <lukc@upyum.com>
Date: Sat, 29 Jun 2019 03:55:40 +0200
Subject: [PATCH] password_hash is masked in server responses.

---
 src/main.cr | 6 +++---
 src/user.cr | 5 +++++
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/main.cr b/src/main.cr
index 62639ce..d0a99c8 100644
--- a/src/main.cr
+++ b/src/main.cr
@@ -96,7 +96,7 @@ IPC::Service.new "auth" do |event|
 
 			user = passwd.add_user request.login, request.password
 
-			client.send ResponseTypes::Ok, user.to_json
+			client.send ResponseTypes::Ok, user.sanitize!.to_json
 		when RequestTypes::GetUserByCredentials
 			begin
 				request = GetUserByCredentialsRequest.from_json String.new payload
@@ -108,7 +108,7 @@ IPC::Service.new "auth" do |event|
 			user = passwd.get_user request.login, request.password
 
 			if user
-				client.send ResponseTypes::Ok, user.to_json
+				client.send ResponseTypes::Ok, user.sanitize!.to_json
 			else
 				client.send ResponseTypes::UserNotFound, ""
 			end
@@ -123,7 +123,7 @@ IPC::Service.new "auth" do |event|
 			user = passwd.get_user request.uid
 
 			if user
-				client.send ResponseTypes::Ok, user.to_json
+				client.send ResponseTypes::Ok, user.sanitize!.to_json
 			else
 				client.send ResponseTypes::UserNotFound, ""
 			end
diff --git a/src/user.cr b/src/user.cr
index 9f70a13..4fd999c 100644
--- a/src/user.cr
+++ b/src/user.cr
@@ -34,6 +34,11 @@ class AuthD::User
 	def initialize(@login, @password_hash, @uid, @gid, @home, @shell)
 	end
 
+	def sanitize!
+		@password_hash = "x"
+		self
+	end
+
 	def to_h
 		{
 			:login => @login,