Closed ChoffaH closed 3 years ago
@ChoffaH good catch, basic should avoid store sensitive data in user extension, need to create a cache struct entry and when the user authenticated push that entry the cache instead of auth info. Starting point https://github.com/shaj13/go-guardian/blob/master/auth/strategies/basic/cached.go#L66
type entry struct {
user auth.Info
password string
}
// ....
I would love to see a PR
@ChoffaH fixed
@shaj13 Great! I haven't had the time to try making a PR for this so thank you! 😃
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What version of Go-Guardian are you using ?
What did you do?
Run the jwt token example in the repo with basic login.
What did you expect to see?
A token without password.
What did you see instead?
The password included in plain text in the payload of the token: