-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use hash instead of encryption for storing passwords refs #234 #235
Conversation
Server e2e tests fail for oauth setups, I will address these.
|
I noticed that the password column exists on the user entity even if the authentication method is oauth. In JHipster, this is removed when oauth is used: https://github.com/jhipster/generator-jhipster/blob/cb8fb188d93eef093ffc303c8a48a26bfce62cc5/generators/server/templates/src/main/java/package/domain/User.java.ejs#L194 |
I have decided against removing the password in this PR. It seems to big a change and not directly in scope of this change. I will create a new issue to document this deviation from standard JHipster. |
The pipeline now fails on the final step (START APP WITH EVENTUAL CLIENT E2E TESTS). The problem seems to be that the chrome version installed on the github runner via |
bfeec14
to
59bef07
Compare
59bef07
to
2917167
Compare
The mentioned Chrome version issue seems to have been a problem with the github action runner, at least I could get past this step in my forked repo: https://github.com/glutengo/generator-jhipster-nodejs/runs/2734972691?check_suite_focus=true However some of the angular protractor tests (which I did not touch) failed afterwards. This seems a common issue for angular and protractor in combination with chrome (webdriver) in v91: angular/protractor#5519 |
As far as I can see, there are two ways to fix the protractor tests:
Either way, the tests are likely to fail on any branch for the current combination of protractor, chrome and chrome webdriver versions. If we decide to proceed with 1) it should also only be a temporary fix until the protractor issue has been resolved |
Hi @glutengo, For the password in the entity model, even if it is oauth authentication, for now leave it as it is. Then we can open another issue. |
There is still a problem for apps with mongodb as a database. It seems that the It seems that this is a bug in typeorm, I have created a simple reproduction of this here: https://github.com/glutengo/typeorm-mongodb-select-false. I have reported the issue there and will try to find another solution for removing the password from API responses for nhipster. |
13c60cf
to
056c708
Compare
- Drop usage of select:false in Field annotation as this does not work for typeorm with mongodb: typeorm/typeorm#7710 - Explicitly hash the password at distinct places instead: register, changePassword - Use ClassTransformer with ClassSerializerIntercepter to exclude the password from responses instead
056c708
to
7a841b0
Compare
Pipeline has finally passed, should be good now |
Great! |
Replace password encryption by bcrypt hashing. See #234 for details.