From e57e20100e0a2a1ef93c422801e53f41d9fff164 Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Mon, 27 Jan 2025 13:12:49 +0100 Subject: [PATCH] fix: allow patching some /credentials sub-paths We still need to disallow `/credentials/oidc`, because patching this would lead to subtle bugs. --- identity/handler.go | 2 +- identity/handler_test.go | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/identity/handler.go b/identity/handler.go index 938344fb48fc..759db3306cf7 100644 --- a/identity/handler.go +++ b/identity/handler.go @@ -916,7 +916,7 @@ func (h *Handler) patch(w http.ResponseWriter, r *http.Request, ps httprouter.Pa patchedIdentity := WithAdminMetadataInJSON(*identity) - if err := jsonx.ApplyJSONPatch(requestBody, &patchedIdentity, "/id", "/stateChangedAt", "/credentials", "/credentials/**"); err != nil { + if err := jsonx.ApplyJSONPatch(requestBody, &patchedIdentity, "/id", "/stateChangedAt", "/credentials", "/credentials/oidc/**"); err != nil { h.r.Writer().WriteError(w, r, errors.WithStack( herodot. ErrBadRequest. diff --git a/identity/handler_test.go b/identity/handler_test.go index 2d002b9ee056..0b9b6ec2f3b2 100644 --- a/identity/handler_test.go +++ b/identity/handler_test.go @@ -1227,7 +1227,7 @@ func TestHandler(t *testing.T) { } }) - t.Run("case=PATCH should fail to update credential password", func(t *testing.T) { + t.Run("case=PATCH should allow to update credential password", func(t *testing.T) { uuid := x.NewUUID().String() email := uuid + "@ory.sh" password := "ljanf123akf" @@ -1247,9 +1247,12 @@ func TestHandler(t *testing.T) { {"op": "replace", "path": "/credentials/password/config/hashed_password", "value": "foo"}, } - res := send(t, ts, "PATCH", "/identities/"+i.ID.String(), http.StatusBadRequest, &patch) + send(t, ts, "PATCH", "/identities/"+i.ID.String(), http.StatusOK, &patch) - assert.EqualValues(t, "patch includes denied path: /credentials/password/config/hashed_password", res.Get("error.message").String(), "%s", res.Raw) + updated, err := reg.PrivilegedIdentityPool().GetIdentityConfidential(ctx, i.ID) + require.NoError(t, err) + assert.Equal(t, "foo", + gjson.GetBytes(updated.Credentials[identity.CredentialsTypePassword].Config, "hashed_password").String()) }) } })