Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: updating user using FAB security api breaking user password hash #2179

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Always-prog
Copy link
Contributor

Description

Updating a user using the FAB security API breaks the user’s password hash. This is because in the pre_update function of the user model, the item parameter is the user model. The check at this line is always true because the user already has a password.

if item.password:
item.password = generate_password_hash(item.password)

I fixed it by moving checking password change to put endpoint of the user model.

Testing instructions

  1. Enable FAB_ADD_SECURITY_API in the config
  2. Get API token for making requests
import requests
import json

url = "http://localhost:8088/api/v1/security/login"

payload = json.dumps({
  "password": "admin",
  "provider": "db",
  "refresh": True,
  "username": "admin"
})

response = requests.request("POST", url, headers=headers, data=payload)
  1. Change a role/first_name/last_name or any field in user model
target_user_id = 2
url = f"http://localhost:8088/api/v1/security/users/{target_user_id}"

payload = json.dumps({
  "roles": [
    3,
    4
  ]
})
headers = {
  'Authorization': 'Bearer <token>',
  'Content-Type': 'application/json'
}

response = requests.request("PUT", url, headers=headers, data=payload)

After 3 step, target user is not able to login with her old password

ADDITIONAL INFORMATION

  • Has associated issue:
  • Is CRUD MVC related.
  • Is Auth, RBAC security related.
  • Changes the security db schema.
  • Introduces new feature
  • Removes existing feature

Copy link

codecov bot commented Dec 27, 2023

Codecov Report

Attention: Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.

Project coverage is 48.36%. Comparing base (59db85d) to head (bc6e81a).
Report is 30 commits behind head on master.

Files Patch % Lines
flask_appbuilder/security/sqla/apis/user/api.py 0.00% 2 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (59db85d) and HEAD (bc6e81a). Click for more details.

HEAD has 7 uploads less than BASE
Flag BASE (59db85d) HEAD (bc6e81a)
python 8 1
Additional details and impacted files
@@             Coverage Diff             @@
##           master    #2179       +/-   ##
===========================================
- Coverage   79.31%   48.36%   -30.96%     
===========================================
  Files          72       72               
  Lines        8974     8699      -275     
===========================================
- Hits         7118     4207     -2911     
- Misses       1856     4492     +2636     
Flag Coverage Δ
python 48.36% <0.00%> (-30.96%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Always-prog
Copy link
Contributor Author

I'll look why test cases failing

@18191518054
Copy link

Is there a solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants