From c037ddb59a571a91c32715ab10376f07bd41e5aa Mon Sep 17 00:00:00 2001
From: Moritz Bitsch <moritz@h6t.eu>
Date: Fri, 15 Oct 2021 16:14:48 +0200
Subject: [PATCH] Strip passwords from stored uiaa entries

Passwords should never be stored in db
---
 src/database/uiaa.rs | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/database/uiaa.rs b/src/database/uiaa.rs
index 1c0fb56..93f6b3b 100644
--- a/src/database/uiaa.rs
+++ b/src/database/uiaa.rs
@@ -153,10 +153,21 @@ impl Uiaa {
         userdevicesessionid.push(0xff);
         userdevicesessionid.extend_from_slice(session.as_bytes());
 
-        self.userdevicesessionid_uiaarequest.insert(
-            &userdevicesessionid,
-            &serde_json::to_vec(request).expect("json value to vec always works"),
-        )?;
+        if request.is_object() {
+            if let Some(object) = request.clone().as_object_mut() {
+                object.remove("password");
+
+                self.userdevicesessionid_uiaarequest.insert(
+                    &userdevicesessionid,
+                    &serde_json::to_vec(object).expect("json value to vec always works"),
+                )?;
+            }
+        } else {
+            self.userdevicesessionid_uiaarequest.insert(
+                &userdevicesessionid,
+                &serde_json::to_vec(request).expect("json value to vec always works"),
+            )?;
+        }
 
         Ok(())
     }