search

shaj13 / go-guardian

Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.
MIT License
543 stars 55 forks source link

Password included in token from jwt strategy example #102

Closed ChoffaH closed 3 years ago

ChoffaH commented 3 years ago

What version of Go are you using (go version)?

$ go version
1.16

Does this issue reproduce with the latest release?

Yes

What version of Go-Guardian are you using ?

Go-Guardian Version: 
v2.11.2

What did you do?

Run the jwt token example in the repo with basic login.

What did you expect to see?

A token without password.

What did you see instead?

The password included in plain text in the payload of the token:

{
  "Extensions": {
    "x-go-guardian-basic-password": [
      "admin"
    ]
  },
  "Groups": null,
  "ID": "1",
  "Name": "admin",
  "aud": [
    ""
  ],
  "exp": 1615318474,
  "iat": 1615318174,
  "nbf": 1615318174,
  "sub": "1"
}
shaj13 commented 3 years ago

@ChoffaH good catch, basic should avoid store sensitive data in user extension, need to create a cache struct entry and when the user authenticated push that entry the cache instead of auth info. Starting point https://github.com/shaj13/go-guardian/blob/master/auth/strategies/basic/cached.go#L66

type entry struct {
  user auth.Info 
  password string 
}
// ....

I would love to see a PR

shaj13 commented 3 years ago

@ChoffaH fixed

ChoffaH commented 3 years ago

@shaj13 Great! I haven't had the time to try making a PR for this so thank you! 😃