chore: dont leak password in auth requests

finos · Oct 7, 2024 · b844b4c · b844b4c
1 parent 52c2109
commit b844b4c
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 6 deletions.
diff --git a/src/service/routes/auth.js b/src/service/routes/auth.js
@@ -23,20 +23,22 @@ router.get('/', (req, res) => {
 
 router.post('/login', passport.authenticate(passportType), async (req, res) => {
   try {
+    const currentUser = { ...req.user };
+    delete currentUser.password;
     console.log(
       `serivce.routes.auth.login: user logged in, username=${
-        req.user.username
-      } profile=${JSON.stringify(req.user)}`,
+        currentUser.username
+      } profile=${JSON.stringify(currentUser)}`,
     );
+    res.send({
+      message: 'success',
+      user: currentUser,
+    });
   } catch (e) {
     console.log(`service.routes.auth.login: Error logging user in ${JSON.stringify(e)}`);
     res.status(500).send('Failed to login').end();
     return;
   }
-  res.send({
-    message: 'success',
-    user: req.user,
-  });
 });
 
 // when login is successful, retrieve user info
@@ -115,6 +117,7 @@ router.get('/userLoggedIn', async (req, res) => {
     delete user.password;
     const login = user.username;
     const userVal = await db.findUser(login);
+    delete userVal.password;
     res.send(userVal);
   } else {
     res.status(401).end();

diff --git a/test/testLogin.test.js b/test/testLogin.test.js
@@ -40,6 +40,10 @@ describe('auth', async () => {
           cookie = x.split(';')[0];
         }
       });
+
+      const authMetadataResponse = await res.get('/api/auth/userLoggedIn');
+
+      authMetadataResponse.should.have.status(200);
     });
 
     it('should now be able to access the profile', async function () {