Merge pull request from GHSA-4w46-w44m-3jq3
* strip password after authentication to prevent cleartext password storage * fixed forgotten testcase forcing ;-/ * added test to check if password is not stored in user record Co-authored-by: Fabian Strachanski <fabian@fastr.de>
This commit is contained in:
Antonio Davi Macedo Coelho de Castro
committed by
GitHub
GitHub
parent
4dee0bc61e
commit
da905a357d
@@ -211,3 +211,49 @@ it('Should fail if the LDAP server encounters an error while searching', done =>
|
|||||||
.finally(() => server.close());
|
.finally(() => server.close());
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('Should delete the password from authData after validation', done => {
|
||||||
|
mockLdapServer(port, 'uid=testuser, o=example', true).then(server => {
|
||||||
|
const options = {
|
||||||
|
suffix: 'o=example',
|
||||||
|
url: `ldap://localhost:${port}`,
|
||||||
|
dn: 'uid={{id}}, o=example'
|
||||||
|
};
|
||||||
|
|
||||||
|
const authData = { id: 'testuser', password: 'secret' };
|
||||||
|
|
||||||
|
ldap
|
||||||
|
.validateAuthData(authData, options)
|
||||||
|
.then(() => {
|
||||||
|
expect(authData).toEqual({ id: 'testuser' });
|
||||||
|
done();
|
||||||
|
})
|
||||||
|
.catch(done.fail)
|
||||||
|
.finally(() => server.close());
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
it('Should not save the password in the user record after authentication', done => {
|
||||||
|
mockLdapServer(port, 'uid=testuser, o=example', true).then(server => {
|
||||||
|
const options = {
|
||||||
|
suffix: 'o=example',
|
||||||
|
url: `ldap://localhost:${port}`,
|
||||||
|
dn: 'uid={{id}}, o=example'
|
||||||
|
};
|
||||||
|
reconfigureServer({ auth: { ldap: options } }).then(() => {
|
||||||
|
const authData = { authData: { id: 'testuser', password: 'secret' } };
|
||||||
|
Parse.User.logInWith('ldap', authData).then((returnedUser) => {
|
||||||
|
const query = new Parse.Query("User");
|
||||||
|
query
|
||||||
|
.equalTo('objectId', returnedUser.id).first({ useMasterKey: true })
|
||||||
|
.then((user) => {
|
||||||
|
expect(user.get('authData')).toEqual({ ldap:{ id: 'testuser' }});
|
||||||
|
expect(user.get('authData').ldap.password).toBeUndefined();
|
||||||
|
done();
|
||||||
|
})
|
||||||
|
.catch(done.fail)
|
||||||
|
.finally(() => server.close())
|
||||||
|
})
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|||||||
@@ -23,6 +23,7 @@ function validateAuthData(authData, options) {
|
|||||||
|
|
||||||
return new Promise((resolve, reject) => {
|
return new Promise((resolve, reject) => {
|
||||||
client.bind(userCn, authData.password, ldapError => {
|
client.bind(userCn, authData.password, ldapError => {
|
||||||
|
delete(authData.password);
|
||||||
if (ldapError) {
|
if (ldapError) {
|
||||||
let error;
|
let error;
|
||||||
switch (ldapError.code) {
|
switch (ldapError.code) {
|
||||||
|
|||||||
Reference in New Issue
Block a user