From d1d4734031dbc730d545a431d9ea777cc368fa84 Mon Sep 17 00:00:00 2001 From: Bubka <858858+Bubka@users.noreply.github.com> Date: Fri, 6 Nov 2020 15:51:52 +0100 Subject: [PATCH] Avoid uri to be sent to front-end --- app/TwoFAccount.php | 8 ++++++++ tests/Feature/ProtectDbTest.php | 14 +++----------- tests/Unit/TwoFAccountTest.php | 17 +++++++++++------ 3 files changed, 22 insertions(+), 17 deletions(-) diff --git a/app/TwoFAccount.php b/app/TwoFAccount.php index ac8fd515..3844a2d8 100644 --- a/app/TwoFAccount.php +++ b/app/TwoFAccount.php @@ -42,6 +42,14 @@ class TwoFAccount extends Model implements Sortable protected $appends = ['otpType', 'counter']; + /** + * The attributes that should be hidden for arrays. + * + * @var array + */ + protected $hidden = ['uri']; + + /** * Override The "booting" method of the model * diff --git a/tests/Feature/ProtectDbTest.php b/tests/Feature/ProtectDbTest.php index 32abc28d..265a1917 100644 --- a/tests/Feature/ProtectDbTest.php +++ b/tests/Feature/ProtectDbTest.php @@ -60,7 +60,6 @@ class ProtectDbTest extends TestCase ->assertJsonFragment([ 'service' => 'test', 'account' => Crypt::decryptString($encrypted->account), - 'uri' => Crypt::decryptString($encrypted->uri), ]); $response = $this->actingAs($this->user, 'api') @@ -69,7 +68,6 @@ class ProtectDbTest extends TestCase ->assertJsonFragment([ 'service' => 'testAlt', 'account' => Crypt::decryptString($encryptedAlt->account), - 'uri' => Crypt::decryptString($encryptedAlt->uri), ]); } @@ -129,7 +127,6 @@ class ProtectDbTest extends TestCase ->assertJsonFragment([ 'service' => 'test', 'account' => 'test@test.com', - 'uri' => 'otpauth://totp/test@test.com?secret=A4GRFHVVRBGY7UIW&issuer=test', ]); $response = $this->actingAs($this->user, 'api') @@ -138,7 +135,6 @@ class ProtectDbTest extends TestCase ->assertJsonFragment([ 'service' => 'testAlt', 'account' => 'testAlt@test.com', - 'uri' => 'otpauth://totp/testAlt@test.com?secret=A4GRFHVVRBGY7UIW&issuer=testAlt', ]); } @@ -170,7 +166,6 @@ class ProtectDbTest extends TestCase ->assertJsonFragment([ 'service' => 'test', 'account' => 'test@test.com', - 'uri' => 'otpauth://totp/test@test.com?secret=A4GRFHVVRBGY7UIW&issuer=test', ]); $response = $this->actingAs($this->user, 'api') @@ -179,7 +174,6 @@ class ProtectDbTest extends TestCase ->assertJsonFragment([ 'service' => 'testAlt', 'account' => 'testAlt@test.com', - 'uri' => 'otpauth://totp/testAlt@test.com?secret=A4GRFHVVRBGY7UIW&issuer=testAlt', ]); } @@ -199,7 +193,7 @@ class ProtectDbTest extends TestCase ->json('POST', '/api/settings/options', [ 'useEncryption' => true, ]) - ->assertStatus(422); + ->assertStatus(400); // Check ProtectDB option is not active $response = $this->actingAs($this->user, 'api') @@ -234,7 +228,7 @@ class ProtectDbTest extends TestCase ->json('POST', '/api/settings/options', [ 'useEncryption' => false, ]) - ->assertStatus(422); + ->assertStatus(400); // Check ProtectDB option has been restored $response = $this->actingAs($this->user, 'api') @@ -263,15 +257,13 @@ class ProtectDbTest extends TestCase DB::table('twofaccounts') ->where('id', 1) ->update([ - 'account' => 'IAmYourFather', - 'uri' => 'YouShallNotPass', + 'account' => 'YoushallNotPass', ]); $response = $this->actingAs($this->user, 'api') ->json('GET', '/api/twofaccounts/1') ->assertStatus(200) ->assertJsonFragment([ - 'uri' => '*encrypted*', 'account' => '*encrypted*', ]); } diff --git a/tests/Unit/TwoFAccountTest.php b/tests/Unit/TwoFAccountTest.php index 67daaa48..b5e1c189 100644 --- a/tests/Unit/TwoFAccountTest.php +++ b/tests/Unit/TwoFAccountTest.php @@ -48,8 +48,10 @@ class TwoFAccountTest extends TestCase ->assertJsonFragment([ 'service' => 'testTOTP', 'account' => 'test@test.com', - 'uri' => 'otpauth://totp/test@test.com?secret=A4GRFHVVRBGY7UIW&issuer=test', 'icon' => 'test.png', + ]) + ->assertJsonMissing([ + 'uri' => 'otpauth://totp/test@test.com?secret=A4GRFHVVRBGY7UIW&issuer=test', ]); } @@ -85,8 +87,10 @@ class TwoFAccountTest extends TestCase ->assertJsonFragment([ 'service' => 'testCreation', 'account' => 'test@example.org', - 'uri' => 'otpauth://totp/test@test.com?secret=A4GRFHZVRBGY7UIW&issuer=test', 'icon' => 'test.png', + ]) + ->assertJsonMissing([ + 'uri' => 'otpauth://totp/test@test.com?secret=A4GRFHVVRBGY7UIW&issuer=test', ]); } @@ -218,8 +222,10 @@ class TwoFAccountTest extends TestCase 'id' => 1, 'service' => 'testUpdate', 'account' => 'testUpdate@test.com', - 'uri' => $twofaccount->uri, 'icon' => 'testUpdate.png', + ]) + ->assertJsonMissing([ + 'uri' => $twofaccount->uri, ]); } @@ -242,15 +248,15 @@ class TwoFAccountTest extends TestCase 'service' => 'testUpdate.com', 'account' => 'testUpdate', 'icon' => 'testUpdate.png', - 'counter' => '5' + 'counter' => 5 ]) ->assertStatus(200) ->assertJsonFragment([ 'id' => 1, 'service' => 'testUpdate.com', 'account' => 'testUpdate', - 'uri' => 'otpauth://hotp/service?counter=5&secret=A4GRFHVVRBGY7UIW', 'icon' => 'testUpdate.png', + 'counter' => 5, ]); } @@ -293,7 +299,6 @@ class TwoFAccountTest extends TestCase 'id', 'service', 'account', - 'uri', 'icon', 'created_at', 'updated_at'