From 43b784edd466994722e9e7a0dfd6618eda4227e6 Mon Sep 17 00:00:00 2001 From: Quan HL Date: Fri, 16 Jun 2023 07:08:33 +0700 Subject: [PATCH] obfuscate client password --- lib/routes/api/clients.js | 6 +++--- lib/utils/encrypt-decrypt.js | 3 +-- test/clients.js | 4 ++-- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/lib/routes/api/clients.js b/lib/routes/api/clients.js index de3ea9a..c97988b 100644 --- a/lib/routes/api/clients.js +++ b/lib/routes/api/clients.js @@ -4,7 +4,7 @@ const sysError = require('../error'); const Client = require('../../models/client'); const Account = require('../../models/account'); const { DbErrorBadRequest, DbErrorForbidden } = require('../../utils/errors'); -const { encrypt, decrypt } = require('../../utils/encrypt-decrypt'); +const { encrypt, decrypt, obscureKey } = require('../../utils/encrypt-decrypt'); const commonCheck = async(req) => { if (req.user.hasAccountAuth) { @@ -55,7 +55,7 @@ router.get('/', async(req, res) => { await Client.retrieveAllByAccountSid(req.user.hasAccountAuth ? req.user.account_sid : null) : await Client.retrieveAllByServiceProviderSid(req.user.service_provider_sid); const ret = results.map((c) => { - c.password = decrypt(c.password); + c.password = obscureKey(decrypt(c.password), 1); return c; }); res.status(200).json(ret); @@ -70,7 +70,7 @@ router.get('/:sid', async(req, res) => { const results = await Client.retrieve(req.params.sid); if (results.length === 0) return res.sendStatus(404); const client = results[0]; - client.password = decrypt(client.password); + client.password = obscureKey(decrypt(client.password), 1); if (req.user.hasAccountAuth && client.account_sid !== req.user.account_sid) { return res.sendStatus(404); } else if (req.user.hasServiceProviderAuth) { diff --git a/lib/utils/encrypt-decrypt.js b/lib/utils/encrypt-decrypt.js index 0c7d18b..78f32a3 100644 --- a/lib/utils/encrypt-decrypt.js +++ b/lib/utils/encrypt-decrypt.js @@ -23,8 +23,7 @@ const decrypt = (data) => { return decrpyted.toString(); }; -const obscureKey = (key) => { - const key_spoiler_length = 6; +const obscureKey = (key, key_spoiler_length = 6) => { const key_spoiler_char = 'X'; if (!key || key.length <= key_spoiler_length) { diff --git a/test/clients.js b/test/clients.js index f098d4d..a8fca6d 100644 --- a/test/clients.js +++ b/test/clients.js @@ -76,7 +76,7 @@ test('client test', async(t) => { t.ok(result.client_sid, 'successfully retrieved Client by sid'); t.ok(result.username === 'client1', 'successfully retrieved Client by sid'); t.ok(result.is_active === 1 , 'successfully retrieved Client by sid'); - t.ok(result.password === 'sdf12412' , 'successfully retrieved Client by sid'); + t.ok(result.password === 'sXXXXXXX' , 'successfully retrieved Client by sid'); /* update the entity */ result = await request.put(`/Clients/${sid}`, { @@ -94,7 +94,7 @@ test('client test', async(t) => { json: true, }); t.ok(result.is_active === 0 , 'successfully updated Client'); - t.ok(result.password === 'sdf12412' , 'successfully retrieved Client by sid'); + t.ok(result.password === 'sXXXXXXX' , 'successfully retrieved Client by sid'); /* delete Client */ result = await request.delete(`/Clients/${sid}`, {