auth
auth/client.go
Return client Secrets when listing clients with basic auth. If the request to list clients is sent with basic auth containing the login and password for the owner of the client, its secret is not removed from the response before sending it.
1.1 --- a/client.go Sat Mar 07 01:06:04 2015 -0500 1.2 +++ b/client.go Sat Mar 07 19:40:49 2015 -0500 1.3 @@ -559,7 +559,6 @@ 1.4 errors := []requestError{} 1.5 var err error 1.6 // BUG(paddy): If ids are provided in query params, retrieve only those clients 1.7 - // BUG(paddy): We should have auth when listing clients 1.8 num := defaultClientResponseSize 1.9 offset := 0 1.10 ownerIDStr := r.URL.Query().Get("owner_id") 1.11 @@ -599,9 +598,30 @@ 1.12 encode(w, r, http.StatusInternalServerError, response{Errors: errors}) 1.13 return 1.14 } 1.15 - for pos, client := range clients { 1.16 - client.Secret = "" 1.17 - clients[pos] = client 1.18 + username, password, ok := r.BasicAuth() 1.19 + if !ok { 1.20 + for pos, client := range clients { 1.21 + client.Secret = "" 1.22 + clients[pos] = client 1.23 + } 1.24 + } else { 1.25 + profile, err := authenticate(username, password, c) 1.26 + if err != nil { 1.27 + if isAuthError(err) { 1.28 + errors = append(errors, requestError{Slug: requestErrAccessDenied}) 1.29 + encode(w, r, http.StatusUnauthorized, response{Errors: errors}) 1.30 + } else { 1.31 + errors = append(errors, requestError{Slug: requestErrActOfGod}) 1.32 + encode(w, r, http.StatusInternalServerError, response{Errors: errors}) 1.33 + } 1.34 + return 1.35 + } 1.36 + for pos, client := range clients { 1.37 + if !client.OwnerID.Equal(profile.ID) { 1.38 + client.Secret = "" 1.39 + clients[pos] = client 1.40 + } 1.41 + } 1.42 } 1.43 resp := response{ 1.44 Clients: clients,