Merge pull request finos#1098 from andypols/fix-additional-user-api-leaks

fix: additional user api leaks

Author: jescalada

src/service/routes/auth.js

@@ -6,6 +6,7 @@ const passportLocal = require('../passport/local');
 const passportAD = require('../passport/activeDirectory');
 const authStrategies = require('../passport').authStrategies;
 const db = require('../../db');
+const { toPublicUser } = require('./publicApi');
 const { GIT_PROXY_UI_HOST: uiHost = 'http://localhost', GIT_PROXY_UI_PORT: uiPort = 3000 } =
   process.env;
 
@@ -46,6 +47,25 @@ const getLoginStrategy = () => {
   return enabledAppropriateLoginStrategies[0].type.toLowerCase();
 };
 
+const loginSuccessHandler = () => async (req, res) => {
+  try {
+    const currentUser = { ...req.user };
+    delete currentUser.password;
+    console.log(
+      `serivce.routes.auth.login: user logged in, username=${
+        currentUser.username
+      } profile=${JSON.stringify(currentUser)}`,
+    );
+    res.send({
+      message: 'success',
+      user: toPublicUser(currentUser),
+    });
+  } catch (e) {
+    console.log(`service.routes.auth.login: Error logging user in ${JSON.stringify(e)}`);
+    res.status(500).send('Failed to login').end();
+  }
+};
+
 // TODO: provide separate auth endpoints for each auth strategy or chain compatibile auth strategies
 // TODO: if providing separate auth methods, inform the frontend so it has relevant UI elements and appropriate client-side behavior
 router.post(
@@ -59,25 +79,7 @@ router.post(
     console.log('going to auth with', authType);
     return passport.authenticate(authType)(req, res, next);
   },
-  async (req, res) => {
-    try {
-      const currentUser = { ...req.user };
-      delete currentUser.password;
-      console.log(
-        `serivce.routes.auth.login: user logged in, username=${
-          currentUser.username
-        } profile=${JSON.stringify(currentUser)}`,
-      );
-      res.send({
-        message: 'success',
-        user: currentUser,
-      });
-    } catch (e) {
-      console.log(`service.routes.auth.login: Error logging user in ${JSON.stringify(e)}`);
-      res.status(500).send('Failed to login').end();
-      return;
-    }
-  },
+  loginSuccessHandler(),
 );
 
 router.get('/oidc', passport.authenticate(authStrategies['openidconnect'].type));
@@ -114,8 +116,7 @@ router.post('/logout', (req, res, next) => {
 router.get('/profile', async (req, res) => {
   if (req.user) {
     const userVal = await db.findUser(req.user.username);
-    delete userVal.password;
-    res.send(userVal);
+    res.send(toPublicUser(userVal));
   } else {
     res.status(401).end();
   }
@@ -160,14 +161,14 @@ router.post('/gitAccount', async (req, res) => {
 
 router.get('/me', async (req, res) => {
   if (req.user) {
-    const user = JSON.parse(JSON.stringify(req.user));
-    if (user && user.password) delete user.password;
-    const login = user.username;
-    const userVal = await db.findUser(login);
-    if (userVal && userVal.password) delete userVal.password;
-    res.send(userVal);
+    const userVal = await db.findUser(req.user.username);
+    res.send(toPublicUser(userVal));
   } else {
     res.status(401).end();
   }
 });
-module.exports = router;
+
+module.exports = {
+  router,
+  loginSuccessHandler
+};

src/service/routes/index.js

@@ -10,7 +10,7 @@ const jwtAuthHandler = require('../passport/jwtAuthHandler');
 const router = new express.Router();
 
 router.use('/api', home);
-router.use('/api/auth', auth);
+router.use('/api/auth', auth.router);
 router.use('/api/v1/healthcheck', healthcheck);
 router.use('/api/v1/push', jwtAuthHandler(), push);
 router.use('/api/v1/repo', jwtAuthHandler(), repo);

src/service/routes/publicApi.js

@@ -0,0 +1,10 @@
+export const toPublicUser = (user) => {
+  return {
+    username: user.username || '',
+    displayName: user.displayName || '',
+    email: user.email || '',
+    title: user.title || '',
+    gitAccount: user.gitAccount || '',
+    admin: user.admin || false,
+  }
+}

src/service/routes/users.js

@@ -1,17 +1,7 @@
 const express = require('express');
 const router = new express.Router();
 const db = require('../../db');
-
-const toPublicUser = (user) => {
-  return {
-    username: user.username || '',
-    displayName: user.displayName || '',
-    email: user.email || '',
-    title: user.title || '',
-    gitAccount: user.gitAccount || '',
-    admin: user.admin || false,
-  }
-}
+const { toPublicUser } = require('./publicApi');
 
 router.get('/', async (req, res) => {
   const query = {};
@@ -35,8 +25,7 @@ router.get('/', async (req, res) => {
 router.get('/:id', async (req, res) => {
   const username = req.params.id.toLowerCase();
   console.log(`Retrieving details for user: ${username}`);
-  const data = await db.findUser(username);
-  const user = JSON.parse(JSON.stringify(data));
+  const user = await db.findUser(username);
   res.send(toPublicUser(user));
 });
 

test/services/routes/auth.test.js

@@ -2,7 +2,7 @@ const chai = require('chai');
 const chaiHttp = require('chai-http');
 const sinon = require('sinon');
 const express = require('express');
-const authRouter = require('../../../src/service/routes/auth');
+const { router, loginSuccessHandler } = require('../../../src/service/routes/auth');
 const db = require('../../../src/db');
 
 const { expect } = chai;
@@ -19,11 +19,15 @@ const newApp = (username) => {
     });
   }
 
-  app.use('/auth', authRouter);
+  app.use('/auth', router);
   return app;
 };
 
-describe('Authentication Routes', () => {
+describe('Auth API', function () {
+  afterEach(function () {
+    sinon.restore();
+  });
+
   describe('/gitAccount', () => {
     beforeEach(() => {
       sinon.stub(db, 'findUser').callsFake((username) => {
@@ -112,7 +116,7 @@ describe('Authentication Routes', () => {
         }),
       ).to.be.true;
     });
-    
+
     it('POST /gitAccount allows non-admin user to update their own gitAccount', async () => {
       const updateUserStub = sinon.stub(db, 'updateUser').resolves();
 
@@ -132,6 +136,93 @@ describe('Authentication Routes', () => {
         }),
       ).to.be.true;
     });
+  });
+
+  describe('loginSuccessHandler', function () {
+    it('should log in user and return public user data', async function () {
+      const user = {
+        username: 'bob',
+        password: 'secret',
+        email: 'bob@example.com',
+        displayName: 'Bob',
+      };
 
+      const res = {
+        send: sinon.spy(),
+      };
+
+      await loginSuccessHandler()({ user }, res);
+
+      expect(res.send.calledOnce).to.be.true;
+      expect(res.send.firstCall.args[0]).to.deep.equal({
+        message: 'success',
+        user: {
+          admin: false,
+          displayName: 'Bob',
+          email: 'bob@example.com',
+          gitAccount: '',
+          title: '',
+          username: 'bob',
+        },
+      });
+    });
+  });
+
+  describe('/me', function () {
+    it('GET /me returns Unauthorized if authenticated user not in request', async () => {
+      const res = await chai.request(newApp()).get('/auth/me');
+
+      expect(res).to.have.status(401);
+    });
+
+    it('GET /me serializes public data representation of current authenticated user', async function () {
+      sinon.stub(db, 'findUser').resolves({
+        username: 'alice',
+        password: 'secret-hashed-password',
+        email: 'alice@example.com',
+        displayName: 'Alice Walker',
+        otherUserData: 'should not be returned',
+      });
+
+      const res = await chai.request(newApp('alice')).get('/auth/me');
+      expect(res).to.have.status(200);
+      expect(res.body).to.deep.equal({
+        username: 'alice',
+        displayName: 'Alice Walker',
+        email: 'alice@example.com',
+        title: '',
+        gitAccount: '',
+        admin: false,
+      });
+    });
+  });
+
+  describe('/profile', function () {
+    it('GET /profile returns Unauthorized if authenticated user not in request', async () => {
+      const res = await chai.request(newApp()).get('/auth/profile');
+
+      expect(res).to.have.status(401);
+    });
+
+    it('GET /profile serializes public data representation of current authenticated user', async function () {
+      sinon.stub(db, 'findUser').resolves({
+        username: 'alice',
+        password: 'secret-hashed-password',
+        email: 'alice@example.com',
+        displayName: 'Alice Walker',
+        otherUserData: 'should not be returned',
+      });
+
+      const res = await chai.request(newApp('alice')).get('/auth/profile');
+      expect(res).to.have.status(200);
+      expect(res.body).to.deep.equal({
+        username: 'alice',
+        displayName: 'Alice Walker',
+        email: 'alice@example.com',
+        title: '',
+        gitAccount: '',
+        admin: false,
+      });
+    });
   });
 });