fix: hide sensitive fields in a user call

cdeleeuwe · Jul 26, 2020 · f59cccb · f59cccb
1 parent 775bd2b
commit f59cccb
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/go/pkg/pwapi/activity_test.go b/go/pkg/pwapi/activity_test.go
@@ -94,6 +94,10 @@ func TestActivity(t *testing.T) {
 
 	// validate challenge
 	{
+		db := testingSvcDB(t, svc)
+		// fetch full instance objects (base object is cleaned)
+		err := db.First(&freeChallenge.Flavor.Instances[0], "ID = ?", freeChallenge.Flavor.Instances[0].ID).Error
+		require.NoError(t, err)
 		configData, err := freeChallenge.Flavor.Instances[0].ParseInstanceConfig()
 		require.NoError(t, err)
 		input := ChallengeSubscriptionValidate_Input{

diff --git a/go/pkg/pwapi/api_season-challenge-list.go b/go/pkg/pwapi/api_season-challenge-list.go
@@ -49,12 +49,16 @@ func (svc *service) SeasonChallengeList(ctx context.Context, in *SeasonChallenge
 		//fmt.Println(sc.ID, godev.PrettyJSON(sc.Flavor.Instances))
 		for _, instance := range sc.Flavor.Instances {
 			// FIXME: hide instances without nginx-url?
+			instance.InstanceConfig = nil
 			if instance.Agent != nil {
-				hash, err := pwdb.ChallengeInstancePrefixHash(fmt.Sprintf("%d", instance.ID), userID, instance.Agent.AuthSalt)
-				if err != nil {
-					return nil, errcode.ErrGeneratePrefixHash.Wrap(err)
+				if len(sc.Subscriptions) > 0 {
+					hash, err := pwdb.ChallengeInstancePrefixHash(fmt.Sprintf("%d", instance.ID), userID, instance.Agent.AuthSalt)
+					if err != nil {
+						return nil, errcode.ErrGeneratePrefixHash.Wrap(err)
+					}
+					instance.NginxURL = fmt.Sprintf("http://%s.%s", hash, instance.Agent.DomainSuffix)
 				}
-				instance.NginxURL = fmt.Sprintf("http://%s.%s", hash, instance.Agent.DomainSuffix)
+				instance.AgentID = 0
 				instance.Agent = nil
 			}
 		}