search

digitalfabrik / entitlementcard

App for 'Digitale Berechtigungskarten', generally benefit card for volunteers or socially vulnerable groups in Germany. App for Android & iOS + Backend + Administration Web Portal – 100% Open Source.
MIT License
36 stars 3 forks source link

1628: Exclude fullName field from user hashing #1629

Closed seluianova closed 2 weeks ago

seluianova commented 2 weeks ago

Short description

Exclude fullName field from user hashing

Koblenz-Pass News: "Aktenzeichen in der Kombination mit Geburtsdatum sind datenschutzrechtlich vereinbar. Die Übertragung des Aktenzeichen und des Geburtsdatums sind möglich."

Proposed changes

Side effects

Card can be issued under any name

Testing

  1. Import user entitlements via POST http://localhost:8000/users/import Include CSV file as a form-data:

    regionKey,userHash,startDate,endDate,revoked
07111,"$argon2id$v=19$m=19456,t=2,p=1$cr3lP9IMUKNz4BLfPGlAOHq1z98G5/2tTbhDIko35tY",01.01.2024,01.01.2025,false

    The above hash does not contain a name of the user

  2. Send graphql request to create card:

    mutation CreateCardFromSelfService {
createCardFromSelfService(
    project: "koblenz.sozialpass.app"
    encodedCardInfo: "Cg1LYXJsYSBLb2JsZW56GhIKAghfEgQI6r4BMgYKBDEyM0s="
    generateStaticCode: true
) {
    dynamicActivationCode {
        cardInfoHashBase64
        codeBase64
    }
    staticVerificationCode {
        cardInfoHashBase64
        codeBase64
    }
}
}

    The encodedCardInfo above contains a name of the user

Resolved issues

Fixes: #1628

seluianova commented 2 weeks ago

@steffenkleinle sorry 🙈 have you managed that already or shall I extend the testing steps now?