Remove in query user api the unencrypted password exposed

[glutengo]

Describe the bug
At numerous places in the application, the value of the password property of the user entity are delivered in plain text. This affects (incomplete):

• GET /api/admin/users
• GET /api/account

The password should not be readable to anyone, not even the admin. The password should be at least encrypted, but it would be better if it was not included in the serialized user object at all.

To Reproduce
Steps to reproduce the behavior:

1. Generate a new app via nhipster
2. Select the default option for every question
3. Login as admin
4. Go to User Management
5. Open Dev Tools Check the returned data for the listed endpoints

Expected behavior
The password is not part of the serialized user object.

Screenshots

Desktop (please complete the following information):

• OS: iOS 11.3
• NHipster Version 2.0.0-beta.1

NHipster configuration

Additional context
I discovered the problem while working on #214

[glutengo]

I would suggest preventing this by not reading the password from the database as suggested here: https://stackoverflow.com/a/62957519/2202290

However I also noticed that the password is encrypted (rather than hashed). This is not considered best practise because the administrators / developers / ... could steal the password of the users by decrypting the password. Background Information: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#background

[ghost]

Hi @glutengo, thanks for the suggestion!
So, the encryption field is performed automatically by TypeORM. According to you, maybe we could delete password from the object returned by controller GET apis.

[glutengo]

I think it would be good to split it into two issues:
The first (this one) handles what is returned by the API. If we do not read the password from the database at all, it will never be included in any response of the controllers. My PR handles this.

The second issue would be about password encryption / hashing. As stated above, I think it would be better if the password was hashed so that there is no way to decrypt the password.

[ghost]

Ok, it's ok the first PR, you can open a new issue for the second point.

[gmarziou]

Maybe you should consider following some practices from JHipster java:

• process to report and address security issues using github security advisory : https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html#jhipster-release-v630
• carefully select algorithm. For instance, in the past JHipster was using Spring StandardPasswordEncoder that uses SHA-256 hashing with 1024 iterations which is no longer considered secure. Now it uses BCryptPasswordEncoder

[glutengo]

@gmarziou I agree, the bcrypt library is the standard for storing passwords in Node.js web apps too. I have created issue #234 for that.