feat: implement agent payload sanitization and security updates

tacxou · tacxou · commit 2312fe087d8c · 2026-05-05T16:03:11.000+02:00
- Added a method to sanitize agent payloads, removing sensitive information such as passwords and old passwords from the response.
- Updated the SecurityPartDTO to make the oldPasswords field optional, enhancing flexibility in data handling.
- Modified the security schema to include a setter for allowedNetworks, ensuring proper formatting and filtering of network entries.
- Enhanced the Vue components to handle the new security structure, ensuring that sensitive data is not exposed in the UI.
diff --git a/apps/api/src/core/agents/_dto/parts/security.part.dto.ts b/apps/api/src/core/agents/_dto/parts/security.part.dto.ts
@@ -41,8 +41,7 @@ export class SecurityPartDTO {
    * @readonly En pratique, ne devrait pas être modifiée manuellement
    * @optional
    */
-  @IsArray()
-  @IsString({ each: true })
+  @IsOptional()
   @ApiProperty({ type: [String] })
   public oldPasswords?: string[]
 
diff --git a/apps/api/src/core/agents/_schemas/_parts/security.part.schema.ts b/apps/api/src/core/agents/_schemas/_parts/security.part.schema.ts
@@ -88,6 +88,11 @@ export class SecurityPart extends Document {
    */
   @Prop({
     type: [String],
+    set: (value: string[] | string | null | undefined): string[] | undefined => {
+      if (value === null || value === undefined) return undefined
+      const values = Array.isArray(value) ? value : [value]
+      return values.map((item) => `${item || ''}`.trim()).filter((item) => item.length > 0)
+    },
   })
   public allowedNetworks?: string[]
 
diff --git a/apps/api/src/core/agents/agents.controller.ts b/apps/api/src/core/agents/agents.controller.ts
@@ -34,6 +34,28 @@ import { UseRoles } from '~/_common/decorators/use-roles.decorator'
 @ApiTags('core/agents')
 @Controller('agents')
 export class AgentsController extends AbstractController {
+  protected sanitizeAgentPayload<T = any>(payload: T): T {
+    if (!payload || typeof payload !== 'object') return payload
+
+    if (Array.isArray(payload)) {
+      return payload.map((item) => this.sanitizeAgentPayload(item)) as T
+    }
+
+    const source = typeof (payload as any).toObject === 'function' ? (payload as any).toObject() : payload
+    const cloned: Record<string, any> = { ...(source as Record<string, any>) }
+
+    delete cloned.password
+    if (cloned.security && typeof cloned.security === 'object') {
+      cloned.security = { ...cloned.security }
+      delete cloned.security.oldPasswords
+    }
+    if (cloned.value && typeof cloned.value === 'object') {
+      cloned.value = this.sanitizeAgentPayload(cloned.value)
+    }
+
+    return cloned as T
+  }
+
   /**
    * Projection des champs retournés pour les opérations de recherche
    *
@@ -91,7 +113,7 @@ export class AgentsController extends AbstractController {
     const data = await this._service.create(body)
     return res.status(HttpStatus.CREATED).json({
       statusCode: HttpStatus.CREATED,
-      data,
+      data: this.sanitizeAgentPayload(data),
     })
   }
 
@@ -173,11 +195,11 @@ export class AgentsController extends AbstractController {
   ): Promise<Response> {
     const data = await this._service.findById(_id, {
       password: 0,
-      security: 0,
+      'security.oldPasswords': 0,
     })
     return res.status(HttpStatus.OK).json({
       statusCode: HttpStatus.OK,
-      data,
+      data: this.sanitizeAgentPayload(data),
     })
   }
 
@@ -211,7 +233,7 @@ export class AgentsController extends AbstractController {
     const data = await this._service.update(_id, body)
     return res.status(HttpStatus.OK).json({
       statusCode: HttpStatus.OK,
-      data,
+      data: this.sanitizeAgentPayload(data),
     })
   }
 
@@ -241,7 +263,7 @@ export class AgentsController extends AbstractController {
     const data = await this._service.delete(_id)
     return res.status(HttpStatus.OK).json({
       statusCode: HttpStatus.OK,
-      data,
+      data: this.sanitizeAgentPayload(data),
     })
   }
 }
diff --git a/apps/web/src/pages/settings/agents/[_id].vue b/apps/web/src/pages/settings/agents/[_id].vue
@@ -56,7 +56,11 @@ export default defineNuxtComponent({
       transform: (result: unknown) => {
         const res = result as Response | undefined
         if (!res || res.data == null) throw new Error('Invalid API response')
-        return res.data as Agent
+        const agent = res.data as Agent & { security?: { allowedNetworks?: string[] }; allowedNetworks?: string[] }
+        return {
+          ...agent,
+          allowedNetworks: Array.isArray(agent?.security?.allowedNetworks) ? [...agent.security.allowedNetworks] : [],
+        } as Agent
       },
     })
     if (error.value) {
diff --git a/apps/web/src/pages/settings/agents/[_id]/index.vue b/apps/web/src/pages/settings/agents/[_id]/index.vue
@@ -87,6 +87,19 @@ export default defineNuxtComponent({
       const sanitizedAgent: Agent & Record<string, unknown> = { ...this.data.agent }
       delete sanitizedAgent.metadata
 
+      const allowedNetworks = Array.isArray(sanitizedAgent.allowedNetworks)
+        ? sanitizedAgent.allowedNetworks
+        : undefined
+      const security = typeof sanitizedAgent.security === 'object' && sanitizedAgent.security !== null ? { ...(sanitizedAgent.security as Record<string, unknown>) } : {}
+      delete security.oldPasswords
+
+      if (allowedNetworks) {
+        security.allowedNetworks = allowedNetworks
+      }
+
+      sanitizedAgent.security = security
+      delete sanitizedAgent.allowedNetworks
+
       try {
         await this.$http[method](path, {
           body: sanitizedAgent,
