password_hash is masked in server responses.

2019-06-29 03:55:40 +02:00 · 2019-06-29 03:55:40 +02:00 · e9e2b65729
parent 505171ff7b
commit e9e2b65729
2 changed files with 8 additions and 3 deletions
--- a/src/main.cr
+++ b/src/main.cr
@ -96,7 +96,7 @@ IPC::Service.new "auth" do |event|

 			user = passwd.add_user request.login, request.password

-			client.send ResponseTypes::Ok, user.to_json
+			client.send ResponseTypes::Ok, user.sanitize!.to_json
 		when RequestTypes::GetUserByCredentials
 			begin
 				request = GetUserByCredentialsRequest.from_json String.new payload
@ -108,7 +108,7 @@ IPC::Service.new "auth" do |event|
 			user = passwd.get_user request.login, request.password

 			if user
-				client.send ResponseTypes::Ok, user.to_json
+				client.send ResponseTypes::Ok, user.sanitize!.to_json
 			else
 				client.send ResponseTypes::UserNotFound, ""
 			end
@ -123,7 +123,7 @@ IPC::Service.new "auth" do |event|
 			user = passwd.get_user request.uid

 			if user
-				client.send ResponseTypes::Ok, user.to_json
+				client.send ResponseTypes::Ok, user.sanitize!.to_json
 			else
 				client.send ResponseTypes::UserNotFound, ""
 			end
--- a/src/user.cr
+++ b/src/user.cr
@ -34,6 +34,11 @@ class AuthD::User
 	def initialize(@login, @password_hash, @uid, @gid, @home, @shell)
 	end

+	def sanitize!
+		@password_hash = "x"
+		self
+	end
+
 	def to_h
 		{
 			:login => @login,