Skip to content
This repository was archived by the owner on Nov 9, 2018. It is now read-only.

Comments

Fix: Hash passwords when 'client_secret' exists in POSTed data#34

Merged
rchavik merged 1 commit intothomseddon:masterfrom
xintesa:fix-client-secret
Aug 22, 2013
Merged

Fix: Hash passwords when 'client_secret' exists in POSTed data#34
rchavik merged 1 commit intothomseddon:masterfrom
xintesa:fix-client-secret

Conversation

@rchavik
Copy link
Collaborator

@rchavik rchavik commented Aug 19, 2013

Without this check, client_secret will be 'corrupted' in some cases, eg:
when updating redirect_uri (without specifying existing secret):

$this->Client->save(array(
    'id' => 'foo',
    'redirect_uri' => 'http://mysite.com',
));

@rchavik rchavik mentioned this pull request Aug 19, 2013
Open
@rchavik
Copy link
Collaborator Author

rchavik commented Aug 19, 2013

Ouch, this actually applies to other models as well: RefreshToken, AccessToken, etc.

What do you think of having a behavior to do this instead? Any suggestion for the behavior name?

@thomseddon
Copy link
Owner

thomseddon commented Aug 20, 2013

Good find, this is a pretty glaring oversight and is definitely not the intended behaviour.

My opinion would be that it probably doesn't warrant a behaviour, especially as each model hashes a different field.

Would be good to get this + the same fix for the other two models in right away.

@rchavik
Copy link
Collaborator Author

rchavik commented Aug 20, 2013

Thom,

It might be useful to do this in behavior, because then we can implement the fix in beforeSave() and the implement auto-hashing in beforeFind() like discussed in #33. What do you think?

@thomseddon
Copy link
Owner

thomseddon commented Aug 20, 2013

Well let's see what it looks like as a behaviour....

@rchavik
Copy link
Collaborator Author

rchavik commented Aug 20, 2013

Thom,

I've updated the PR for now, but please don't merge it yet as this was done while I was somewhat intoxicated :)

@rchavik
Fix/enhancement: Adding HashedFieldBehavior
ca91a4a 
The behavior hashes configure fields when they exists in POSTed data

Without this check, 'secret fields' will be 'corrupted' for some cases.
For eg: when updating redirect_uri (without specifying existing secret):

$this->Client->save(array(
	'id' => 'foo',
	'redirect_uri' => 'http://mysite.com',
));

will cause 'client_secret' to be populated with a hash of an empty string.

The behavior also implements a beforeFind() method, that removes the
need to manually hash field in $conditions
@rchavik
Copy link
Collaborator Author

rchavik commented Aug 21, 2013

Okay.. i think this is now ok. (forgot to update this PR)

@rchavik
Copy link
Collaborator Author

rchavik commented Aug 22, 2013

I plan to merge this to master, and then start a separate next branch and merge the other 2 PRs there.

Comments?

@thomseddon
Copy link
Owner

thomseddon commented Aug 22, 2013

Seems OK to me, although I haven't tested - good work on starting to build in the tests, would be very very good to ensure consistency in the "next" branch

@rchavik rchavik merged commit ca91a4a into thomseddon:master Aug 22, 2013
@rchavik
Copy link
Collaborator Author

rchavik commented Aug 22, 2013

Ok. Merged. I'm prepared the next branch. Currently, I've merged them in my fork. I'll get it upstream tomorrow evening.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

Bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rchavik @thomseddon