From f59cccbd540fdc59491ccce571d031bacb4b0cbe Mon Sep 17 00:00:00 2001
From: Manfred Touron <94029+moul@users.noreply.github.com>
Date: Mon, 27 Jul 2020 00:16:17 +0200
Subject: [PATCH] fix: hide sensitive fields in a user call

---
 go/pkg/pwapi/activity_test.go             |  4 ++++
 go/pkg/pwapi/api_season-challenge-list.go | 12 ++++++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/go/pkg/pwapi/activity_test.go b/go/pkg/pwapi/activity_test.go
index 00eb04c74..19bac3687 100644
--- a/go/pkg/pwapi/activity_test.go
+++ b/go/pkg/pwapi/activity_test.go
@@ -94,6 +94,10 @@ func TestActivity(t *testing.T) {
 
 	// validate challenge
 	{
+		db := testingSvcDB(t, svc)
+		// fetch full instance objects (base object is cleaned)
+		err := db.First(&freeChallenge.Flavor.Instances[0], "ID = ?", freeChallenge.Flavor.Instances[0].ID).Error
+		require.NoError(t, err)
 		configData, err := freeChallenge.Flavor.Instances[0].ParseInstanceConfig()
 		require.NoError(t, err)
 		input := ChallengeSubscriptionValidate_Input{
diff --git a/go/pkg/pwapi/api_season-challenge-list.go b/go/pkg/pwapi/api_season-challenge-list.go
index 18b5c8387..4cd52736d 100644
--- a/go/pkg/pwapi/api_season-challenge-list.go
+++ b/go/pkg/pwapi/api_season-challenge-list.go
@@ -49,12 +49,16 @@ func (svc *service) SeasonChallengeList(ctx context.Context, in *SeasonChallenge
 		//fmt.Println(sc.ID, godev.PrettyJSON(sc.Flavor.Instances))
 		for _, instance := range sc.Flavor.Instances {
 			// FIXME: hide instances without nginx-url?
+			instance.InstanceConfig = nil
 			if instance.Agent != nil {
-				hash, err := pwdb.ChallengeInstancePrefixHash(fmt.Sprintf("%d", instance.ID), userID, instance.Agent.AuthSalt)
-				if err != nil {
-					return nil, errcode.ErrGeneratePrefixHash.Wrap(err)
+				if len(sc.Subscriptions) > 0 {
+					hash, err := pwdb.ChallengeInstancePrefixHash(fmt.Sprintf("%d", instance.ID), userID, instance.Agent.AuthSalt)
+					if err != nil {
+						return nil, errcode.ErrGeneratePrefixHash.Wrap(err)
+					}
+					instance.NginxURL = fmt.Sprintf("http://%s.%s", hash, instance.Agent.DomainSuffix)
 				}
-				instance.NginxURL = fmt.Sprintf("http://%s.%s", hash, instance.Agent.DomainSuffix)
+				instance.AgentID = 0
 				instance.Agent = nil
 			}
 		}