Opaque encrypted token from account API responses

src/controller/account.go

@@ -64,6 +64,7 @@ func (controller *AccountController) CreateAccountHandler(w http.ResponseWriter,
 	gitService := core.NewGitService(accountCreated.Repository, accountCreated.Token, accountCreated.Branch)
 	go controller.coreHandler.StartAccountHandler(accountCreated.ID.Hex(), gitService)
 
+	opaqueTokenFromResponse(accountCreated)
 	utils.ResponseJSON(w, accountCreated, http.StatusCreated)
 }
 
@@ -78,6 +79,7 @@ func (controller *AccountController) FetchAccountHandler(w http.ResponseWriter,
 		return
 	}
 
+	opaqueTokenFromResponse(account)
 	utils.ResponseJSON(w, account, http.StatusOK)
 }
 
@@ -91,7 +93,13 @@ func (controller *AccountController) FetchAllAccountsByDomainIdHandler(w http.Re
 		return
 	}
 
-	utils.ResponseJSON(w, accounts, http.StatusOK)
+	var accountsResponse []model.Account
+	for _, account := range accounts {
+		opaqueTokenFromResponse(&account)
+		accountsResponse = append(accountsResponse, account)
+	}
+
+	utils.ResponseJSON(w, accountsResponse, http.StatusOK)
 }
 
 func (controller *AccountController) UpdateAccountHandler(w http.ResponseWriter, r *http.Request) {
@@ -115,6 +123,7 @@ func (controller *AccountController) UpdateAccountHandler(w http.ResponseWriter,
 		return
 	}
 
+	opaqueTokenFromResponse(accountUpdated)
 	utils.ResponseJSON(w, accountUpdated, http.StatusOK)
 }
 
@@ -131,3 +140,9 @@ func (controller *AccountController) DeleteAccountHandler(w http.ResponseWriter,
 
 	utils.ResponseJSON(w, nil, http.StatusNoContent)
 }
+
+func opaqueTokenFromResponse(account *model.Account) {
+	if account.Token != "" {
+		account.Token = "..." + account.Token[len(account.Token)-4:]
+	}
+}

src/controller/account_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/switcherapi/switcher-gitops/src/config"
 	"github.com/switcherapi/switcher-gitops/src/model"
+	"github.com/switcherapi/switcher-gitops/src/repository"
 	"github.com/switcherapi/switcher-gitops/src/utils"
 )
 
@@ -29,9 +30,7 @@ func TestCreateAccountHandler(t *testing.T) {
 		assert.Equal(t, http.StatusCreated, response.Code)
 		assert.Nil(t, err)
 		assert.Equal(t, accountV1.Repository, accountResponse.Repository)
-
-		token, _ := utils.Decrypt(accountResponse.Token, config.GetEnv("GIT_TOKEN_PRIVATE_KEY"))
-		assert.Equal(t, accountV1.Token, token)
+		assert.Contains(t, accountResponse.Token, "...")
 	})
 
 	t.Run("Should not create an account - invalid request", func(t *testing.T) {
@@ -78,6 +77,7 @@ func TestFetchAccountHandler(t *testing.T) {
 		assert.Equal(t, http.StatusOK, response.Code)
 		assert.Nil(t, err)
 		assert.Equal(t, accountV1.Repository, accountResponse.Repository)
+		assert.Contains(t, accountResponse.Token, "...")
 	})
 
 	t.Run("Should not fetch an account by domain ID / environment - not found", func(t *testing.T) {
@@ -110,6 +110,8 @@ func TestFetchAccountHandler(t *testing.T) {
 		assert.Equal(t, http.StatusOK, response.Code)
 		assert.Nil(t, err)
 		assert.Equal(t, 2, len(accountsResponse))
+		assert.Contains(t, accountsResponse[0].Token, "...")
+		assert.Contains(t, accountsResponse[1].Token, "...")
 	})
 
 	t.Run("Should not fetch all accounts by domain ID - not found", func(t *testing.T) {
@@ -174,11 +176,12 @@ func TestUpdateAccountHandler(t *testing.T) {
 		assert.Equal(t, http.StatusOK, response.Code)
 		assert.Nil(t, err)
 		assert.Equal(t, accountV1.Repository, accountResponse.Repository)
+		assert.Contains(t, accountResponse.Token, "...")
 
-		encryptedToken := utils.Encrypt(accountV1.Token, config.GetEnv("GIT_TOKEN_PRIVATE_KEY"))
-		assert.NotEqual(t, encryptedToken, accountResponse.Token)
+		accountRepository := repository.NewAccountRepositoryMongo(mongoDb)
+		accountFromDb, _ := accountRepository.FetchByAccountId(accountResponse.ID.Hex())
 
-		decryptedToken, _ := utils.Decrypt(accountResponse.Token, config.GetEnv("GIT_TOKEN_PRIVATE_KEY"))
+		decryptedToken, _ := utils.Decrypt(accountFromDb.Token, config.GetEnv("GIT_TOKEN_PRIVATE_KEY"))
 		assert.Equal(t, "new-token", decryptedToken)
 	})