thentos icon indicating copy to clipboard operation
thentos copied to clipboard

Published 20 hours ago verified publisher icon liqd

UserPass should have no ToJSON instance

Open ChristianSi opened this issue 9 years ago • 2 comments

ToJSON instance of newtype UserPass should go away in order to avoid accidental leakage of cleartext passwords. (Under no circumstances render to something like "[password hidden]", as that can cause a lot of confusion.)

See BUG marker in thentos-core/src/Thentos/Types.hs.

ChristianSi avatar Dec 01 '15 16:12 ChristianSi

While working on #463, I tried to out-comment the ToJSON instance of UserPass and all types that depend on it. Normally this shouldn't cause any issues, but I had to give up because of:

src/Thentos/Backend/Api/Simple.hs:51:17:
    No instance for (aeson-0.8.1.1:Data.Aeson.Types.Class.ToJSON
                       UserFormData)
      arising from a use of ‘restDocs’
    In the first argument of ‘(:<|>)’, namely ‘restDocs cfg p’
    In the second argument of ‘serve’, namely
      ‘(restDocs cfg p :<|> api astate)’
    In the expression: serve p (restDocs cfg p :<|> api astate)

UserFormData is only used as input in our API, so there is no good reason why Servant wants a ToJSON instance. Very annoying.

ChristianSi avatar Jan 25 '16 17:01 ChristianSi

Very annoying.

sorry (-:

The reason is that the generated markup docs contain examples of all involved types as JSON. I'll try to think of a way to deal with this.

fisx avatar Jan 25 '16 17:01 fisx