Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't expose private RSA key #407

Closed
wants to merge 15 commits into from
Closed

Don't expose private RSA key #407

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
8627d57
Don't expose private RSA key
roschaefer Apr 4, 2019
8713f61
Added Tests to "user_management.spec.js"
Tirokk Apr 5, 2019
c4e57fc
User to query for "publicKey" is generated on port "4001"
Tirokk Apr 5, 2019
a995c84
Merge branch 'keep_private_rsa_key_secret' of https://github.com/Huma…
Tirokk Apr 5, 2019
ea2499f
Merge branch 'master' into keep_private_rsa_key_secret
ulfgebhardt Apr 5, 2019
851e691
Merge branch 'master' into keep_private_rsa_key_secret
ulfgebhardt Apr 6, 2019
6794156
Merge branch 'master' of https://github.com/Human-Connection/Human-Co…
Tirokk Apr 11, 2019
95a0567
Query of users "publicKey" 'throws "Not Authorised!"'
Tirokk Apr 11, 2019
b007015
Backend test for query "publicKey" to asure that "privatKey" is gener…
Tirokk Apr 12, 2019
008d99c
Update backend/src/resolvers/user_management.spec.js
roschaefer Apr 12, 2019
828ca50
Update backend/src/resolvers/user_management.spec.js
roschaefer Apr 12, 2019
e5e1f0a
Update backend/src/resolvers/user_management.spec.js
roschaefer Apr 12, 2019
023c636
Query of "publicKey" is now tested unauthenticated and authenticated
Tirokk Apr 12, 2019
0c8b478
Update backend/src/middleware/passwordMiddleware.js
roschaefer Apr 12, 2019
aadfd16
Remove redundant "not"
mattwr18 Apr 12, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 3 additions & 2 deletions backend/src/middleware/passwordMiddleware.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,11 @@ export default {
}
},
Query: async (resolve, root, args, context, info) => {
const result = await resolve(root, args, context, info)
return walkRecursive(result, ['password'], () => {
let result = await resolve(root, args, context, info)
result = walkRecursive(result, ['password', 'privateKey'], () => {
// replace password with asterisk
return '*****'
})
return result
}
}
3 changes: 2 additions & 1 deletion backend/src/middleware/permissionsMiddleware.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,8 @@ const permissions = shield({
},
User: {
email: isMyOwn,
password: isMyOwn
password: isMyOwn,
privateKey: isMyOwn
}
})

Expand Down
97 changes: 96 additions & 1 deletion backend/src/resolvers/user_management.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import gql from 'graphql-tag'
import Factory from '../seed/factories'
import { GraphQLClient, request } from 'graphql-request'
import jwt from 'jsonwebtoken'
Expand Down Expand Up @@ -254,7 +255,7 @@ describe('change password', () => {
}

describe('should be authenticated before changing password', () => {
it('throws not "Not Authorised!', async () => {
it('throws "Not Authorised!"', async () => {
await expect(
request(
host,
Expand Down Expand Up @@ -309,3 +310,97 @@ describe('change password', () => {
})
})
})

describe('do not expose private RSA key', () => {
let headers
let client
const queryUserPuplicKey = gql`
query($queriedUserSlug: String) {
User(slug: $queriedUserSlug) {
id
publicKey
}
}`
const queryUserPrivateKey = gql`
query($queriedUserSlug: String) {
User(slug: $queriedUserSlug) {
id
privateKey
}
}`

const actionGenUserWithKeys = async () => {
// Generate user with "privateKey" via 'CreateUser' mutation instead of using the factories "factory.create('User', {...})", see above.
const variables = {
id: 'bcb2d923-f3af-479e-9f00-61b12e864667',
password: 'xYz',
slug: 'apfel-strudel',
name: 'Apfel Strudel',
email: 'apfel-strudel@test.org'
}
await client.request(gql`
mutation($id: ID, $password: String!, $slug: String, $name: String, $email: String) {
CreateUser(id: $id, password: $password, slug: $slug, name: $name, email: $email) {
id
}
}`, variables
)
}

// not authenticate
beforeEach(async () => {
client = new GraphQLClient(host)
})

describe('unauthenticated query of "publicKey" (does the RSA key pair get generated at all?)', () => {
it('returns publicKey', async () => {
await actionGenUserWithKeys()
await expect(
await client.request(queryUserPuplicKey, { queriedUserSlug: 'apfel-strudel' })
).toEqual(expect.objectContaining({
User: [{
id: 'bcb2d923-f3af-479e-9f00-61b12e864667',
publicKey: expect.any(String)
}]
}))
})
})

describe('unauthenticated query of "privateKey"', () => {
it('throws "Not Authorised!"', async () => {
await actionGenUserWithKeys()
await expect(
client.request(queryUserPrivateKey, { queriedUserSlug: 'apfel-strudel' })
).rejects.toThrow('Not Authorised')
})
})

// authenticate
beforeEach(async () => {
headers = await login({ email: 'test@example.org', password: '1234' })
client = new GraphQLClient(host, { headers })
})

describe('authenticated query of "publicKey"', () => {
it('returns publicKey', async () => {
await actionGenUserWithKeys()
await expect(
await client.request(queryUserPuplicKey, { queriedUserSlug: 'apfel-strudel' })
).toEqual(expect.objectContaining({
User: [{
id: 'bcb2d923-f3af-479e-9f00-61b12e864667',
publicKey: expect.any(String)
}]
}))
})
})

describe('authenticated query of "privateKey"', () => {
it('throws "Not Authorised!"', async () => {
await actionGenUserWithKeys()
await expect(
client.request(queryUserPrivateKey, { queriedUserSlug: 'apfel-strudel' })
).rejects.toThrow('Not Authorised')
})
})
})