Added CWE-798: Use of Hard-coded Credentials (email, password)

sanket-mundra commented 2 years ago

Refers to this issue: #119

Description

Please include a summary of the change, motivation and context.

Testing

After doing the changes in the codebase, I created the new docker image of crapi-identity service with develop tag using the below command:

docker build -t crapi/crapi-identity:develop .

The ran crapi using the below commands:

curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/develop/deploy/docker/docker-compose.yml
VERSION=develop docker-compose pull 
VERSION=develop docker-compose -f docker-compose.yml --compatibility up -d

Saw this in the log after entering the required email and password on UI while logging in:

Documentation

Make sure that you have documented corresponding changes in this repository.

Checklist:

[x] My changes generate no new warnings
[x] I have added tests that prove my fix is effective or that my feature works
[x] Any dependent changes have been merged
[x] I have documented any changes if required in the docs.

sanket-mundra commented 2 years ago

The login will definitely fail in that case as you can see in the screenshot above I got 401 UNAUTHORIZED in logs, but whatever message we put in the logs there would be visible like: Admin authenticated successfully!! Welcome Admin!! above. Do we also need to let the user login with those credentials?

piyushroshan commented 2 years ago

Yes. That would the ideal scenario

sanket-mundra commented 2 years ago

Just before calling the authenticateUserLogin() function inside /login endpoint mapped function, I am calling the registerUser() function for the hard-coded credential user and it generates the authentication token and add it to the DB. So, the login will succeed.

piyushroshan commented 2 years ago

Closing this in favor of #146

OWASP / crAPI