avoid providing internal notes to /whoami endpoint (fixes #170)

georchestra · Jan 21, 2025 · 6823a48 · 6823a48
1 parent 3bb5bec
commit 6823a48
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/gateway/src/main/java/org/georchestra/gateway/app/GeorchestraGatewayApplication.java b/gateway/src/main/java/org/georchestra/gateway/app/GeorchestraGatewayApplication.java
@@ -106,6 +106,8 @@ public Mono<Map<String, Object>> whoami(Authentication principal, ServerWebExcha
         }
 
         Map<String, Object> ret = new LinkedHashMap<>();
+        // notes is an internal field and should not be provided by the /whoami endpoint (see #170)
+        user.setNotes(null);
         ret.put("GeorchestraUser", user);
         if (principal == null) {
             ret.put("Authentication", null);

diff --git a/...est/java/org/georchestra/gateway/security/ldap/extended/ExtendedLdapAuthenticationIT.java b/...est/java/org/georchestra/gateway/security/ldap/extended/ExtendedLdapAuthenticationIT.java
@@ -78,4 +78,14 @@ static void registerLdap(DynamicPropertyRegistry registry) {
                 .isEmpty();
     }
 
+    public @Test void testWhoamiNoNotesRevealed() {
+        testClient.get().uri("/whoami")//
+                .header("Authorization", "Basic dGVzdGFkbWluOnRlc3RhZG1pbg==") // testadmin:testadmin
+                .exchange()//
+                .expectStatus()//
+                .is2xxSuccessful()//
+                .expectBody()//
+                .jsonPath("$.GeorchestraUser.notes").isEmpty();
+    }
+
 }