diff --git a/gateway/src/main/java/org/georchestra/gateway/app/GeorchestraGatewayApplication.java b/gateway/src/main/java/org/georchestra/gateway/app/GeorchestraGatewayApplication.java index d49ff0dd..61846e6e 100644 --- a/gateway/src/main/java/org/georchestra/gateway/app/GeorchestraGatewayApplication.java +++ b/gateway/src/main/java/org/georchestra/gateway/app/GeorchestraGatewayApplication.java @@ -106,6 +106,11 @@ public Mono> whoami(Authentication principal, ServerWebExcha } Map ret = new LinkedHashMap<>(); + if (user != null) { + // notes is an internal field and should not be provided by the /whoami endpoint + // (see #170) + user.setNotes(null); + } ret.put("GeorchestraUser", user); if (principal == null) { ret.put("Authentication", null); diff --git a/gateway/src/test/java/org/georchestra/gateway/security/ldap/extended/ExtendedLdapAuthenticationIT.java b/gateway/src/test/java/org/georchestra/gateway/security/ldap/extended/ExtendedLdapAuthenticationIT.java index cdd5615e..cc0d2276 100644 --- a/gateway/src/test/java/org/georchestra/gateway/security/ldap/extended/ExtendedLdapAuthenticationIT.java +++ b/gateway/src/test/java/org/georchestra/gateway/security/ldap/extended/ExtendedLdapAuthenticationIT.java @@ -78,4 +78,23 @@ static void registerLdap(DynamicPropertyRegistry registry) { .isEmpty(); } + public @Test void testWhoamiNoNotesRevealed() { + testClient.get().uri("/whoami")// + .header("Authorization", "Basic dGVzdGFkbWluOnRlc3RhZG1pbg==") // testadmin:testadmin + .exchange()// + .expectStatus()// + .is2xxSuccessful()// + .expectBody()// + .jsonPath("$.GeorchestraUser.notes").isEmpty(); + } + + public @Test void testWhoamiNoAuth() { + testClient.get().uri("/whoami")// + .exchange()// + .expectStatus()// + .is2xxSuccessful()// + .expectBody()// + .jsonPath("$.GeorchestraUser").isEmpty(); + } + }