Merge pull request #233 from glutengo/bug/issue-232

Do not read user password from DB closes #232

generators/server/templates/server/e2e/account.e2e-spec.ts.ejs

@@ -7,10 +7,12 @@ import { RolesGuard } from '../src/security/guards/roles.guard';
 import { UserDTO } from '../src/service/dto/user.dto';
 import { UserService } from '../src/service/user.service';
 import { PasswordChangeDTO } from '../src/service/dto/password-change.dto';
+import { AuthService } from '../src/service/auth.service';
 
 describe('Account', () => {
     let app: INestApplication;
     let service: UserService;
+    let authService: AuthService;
 
     const testUserDTO: UserDTO = {
         login: 'userTestLogin',
@@ -23,6 +25,7 @@ describe('Account', () => {
         login: 'userlogged',
         email: '[email protected]',
         password: 'userloggedPassword',
+        activated: true
     };
 
     const testPasswordChange: PasswordChangeDTO = {
@@ -55,6 +58,7 @@ describe('Account', () => {
         app = moduleFixture.createNestApplication();
         await app.init();
         service = moduleFixture.get<UserService>(UserService);
+        authService = moduleFixture.get<AuthService>(AuthService);
         userAuthenticated = await service.save(testUserAuthenticated);
     });
 
@@ -127,8 +131,13 @@ describe('Account', () => {
             .send(testPasswordChange)
             .expect(201);
 
-        const updatedUserPassword: UserDTO = await service.findByfields({ where: { login: testUserAuthenticated.login } });
-        expect(updatedUserPassword.password).toEqual(testPasswordChange.newPassword);
+        const successFullyLoggedInWithNewPassword = await authService.login(
+            {
+                username: testUserAuthenticated.login,
+                password: testPasswordChange.newPassword
+            }).then(() => true, () => false);
+
+        expect(successFullyLoggedInWithNewPassword).toEqual(true);
     });
 
     it('/POST reset password init', async () => {

generators/server/templates/server/e2e/user.e2e-spec.ts.ejs

@@ -86,6 +86,8 @@ describe('User', () => {
     it('/GET user with a login name', async () => {
         testUserDTO.login = 'TestUserGet';
         const savedUser: UserDTO = await service.save(testUserDTO);
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        const { password, ...savedUserWithoutPassword } = savedUser;
 
         const getUser: UserDTO = (
             await request(app.getHttpServer())
@@ -94,7 +96,7 @@ describe('User', () => {
         ).body;
 
         <%_ if (databaseType !== 'mongodb') { _%>
-        expect(getUser).toEqual(savedUser);
+        expect(getUser).toEqual(savedUserWithoutPassword);
         <%_ } else { _%>
         expect(getUser.login).toEqual(savedUser.login);
         <%_ } _%>

generators/server/templates/server/src/domain/user.entity.ts.ejs

@@ -35,7 +35,8 @@ export class User extends BaseEntity {
       algorithm: 'aes-256-cbc',
       ivLength: 16,
       iv: config.get('crypto.iv')
-    })
+    }),
+    select: false
   })
   password: string;
   @Column({ nullable: true })

generators/server/templates/server/src/service/auth.service.ts.ejs

@@ -73,7 +73,7 @@ export class AuthService {
   }
 
   async changePassword(userLogin: string, currentClearTextPassword: string, newPassword: string): Promise<void> {
-    const userFind: UserDTO = await this.userService.findByfields({ where: { login: userLogin } });
+    const userFind: UserDTO = await this.userService.findByfields({ where: { login: userLogin }, select: [ 'id', 'password' ] });
     if (!userFind) {
         throw new HttpException('Invalid login name!', HttpStatus.BAD_REQUEST);
     }