Francesco Chicchiriccò created SYNCOPE-1966:
-----------------------------------------------
Summary: Do not include security sensitive information in returned
UserTO payloads
Key: SYNCOPE-1966
URL: https://issues.apache.org/jira/browse/SYNCOPE-1966
Project: Syncope
Issue Type: Task
Components: common, console, core
Reporter: Francesco Chicchiriccò
Assignee: Francesco Chicchiriccò
Fix For: 4.1.1, 5.0.0
{{UserTO}} instances returned as payload by some Core REST services are
currently containing a few fields that can be safely dropped:
* password
* token
* tokenExpireTime
* securityAnswer
Such fields are in fact:
* mostly blank by default (depending on the value of configuration parameter
{{return.password.value}})
* not usable by callers (being hashed)
* anyway accessible only to administrators owning the {{USER_READ}} entitlement
for the belonging Realm
Thus, there are enough reasons to just get rid of them.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
