Passwords and REST API
kynx opened this issue · 0 comments
kynx commented
Currently the user returned by the rest/saiku/admin/users/ endpoint has the password
property populated with their password hash. If the exact same user object is PUT back, this password gets re-encrypted, effectively preventing them logging in.
I'm aware that omitting the password will stop the password being overwritten. But it would be useful to be able to backup and restore users via the REST API. I would like to add a check to org.saiku.database.JdbcUserDAO
to see if the password is a bcrypt hash before encoding it.