Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: updating user using FAB security api breaking user password hash #2179

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: updating user using FAB security api breaking user password hash #2179

wants to merge 1 commit into from

Conversation

Always-prog
Copy link
Contributor

Description

Updating a user using the FAB security API breaks the user’s password hash. This is because in the pre_update function of the user model, the item parameter is the user model. The check at this line is always true because the user already has a password.

Flask-AppBuilder/flask_appbuilder/security/sqla/apis/user/api.py

Lines 71 to 72 in 59db85d

if item.password:
item.password = generate_password_hash(item.password)

I fixed it by moving checking password change to put endpoint of the user model.

Testing instructions

  1. Enable FAB_ADD_SECURITY_API in the config
  2. Get API token for making requests
import requests
import json

url = "http://localhost:8088/api/v1/security/login"

payload = json.dumps({
  "password": "admin",
  "provider": "db",
  "refresh": True,
  "username": "admin"
})

response = requests.request("POST", url, headers=headers, data=payload)
  1. Change a role/first_name/last_name or any field in user model
target_user_id = 2
url = f"http://localhost:8088/api/v1/security/users/{target_user_id}"

payload = json.dumps({
  "roles": [
    3,
    4
  ]
})
headers = {
  'Authorization': 'Bearer <token>',
  'Content-Type': 'application/json'
}

response = requests.request("PUT", url, headers=headers, data=payload)

After 3 step, target user is not able to login with her old password

ADDITIONAL INFORMATION

  • Has associated issue:
  • Is CRUD MVC related.
  • Is Auth, RBAC security related.
  • Changes the security db schema.
  • Introduces new feature
  • Removes existing feature

@codecov Codecov
Copy link

codecov bot commented Dec 27, 2023

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (59db85d) 79.31% compared to head (bc6e81a) 48.36%.

Files Patch % Lines
flask_appbuilder/security/sqla/apis/user/api.py 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##           master    #2179       +/-   ##
===========================================
- Coverage   79.31%   48.36%   -30.96%     
===========================================
  Files          72       72               
  Lines        8974     8699      -275     
===========================================
- Hits         7118     4207     -2911     
- Misses       1856     4492     +2636
Flag Coverage Δ
python 48.36% <0.00%> (-30.96%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Always-prog
Copy link
Contributor Author

I'll look why test cases failing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@Always-prog