Merge pull request from GHSA-4w46-w44m-3jq3

* strip password after authentication to prevent cleartext password storage

* fixed forgotten testcase forcing ;-/

* added test to check if password is not stored in user record

Co-authored-by: Fabian Strachanski <fabian@fastr.de>

spec/LdapAuth.spec.js

@@ -211,3 +211,49 @@ it('Should fail if the LDAP server encounters an error while searching', done =>
       .finally(() => server.close());
   });
 });
+
+it('Should delete the password from authData after validation', done => {
+  mockLdapServer(port, 'uid=testuser, o=example', true).then(server => {
+    const options = {
+      suffix: 'o=example',
+      url: `ldap://localhost:${port}`,
+      dn: 'uid={{id}}, o=example'
+    };
+
+    const authData = { id: 'testuser', password: 'secret' };
+
+    ldap
+      .validateAuthData(authData, options)
+      .then(() => {
+        expect(authData).toEqual({ id: 'testuser' });
+        done();
+      })
+      .catch(done.fail)
+      .finally(() => server.close());
+  });
+});
+
+it('Should not save the password in the user record after authentication', done => {
+  mockLdapServer(port, 'uid=testuser, o=example', true).then(server => {
+    const options = {
+      suffix: 'o=example',
+      url: `ldap://localhost:${port}`,
+      dn: 'uid={{id}}, o=example'
+    };
+    reconfigureServer({ auth: { ldap: options } }).then(() => {
+      const authData = { authData: { id: 'testuser', password: 'secret' } };
+      Parse.User.logInWith('ldap', authData).then((returnedUser) => {
+        const query = new Parse.Query("User");
+        query
+          .equalTo('objectId', returnedUser.id).first({ useMasterKey: true })
+          .then((user) => {
+            expect(user.get('authData')).toEqual({ ldap:{ id: 'testuser' }});
+            expect(user.get('authData').ldap.password).toBeUndefined();
+            done();
+          })
+          .catch(done.fail)
+          .finally(() => server.close())
+      })
+    });
+  });
+});