From b844b4c75c177a65b987dc7247a50e54b4a28725 Mon Sep 17 00:00:00 2001 From: Layton Whiteley Date: Sun, 6 Oct 2024 22:58:33 +0200 Subject: [PATCH] chore: dont leak password in auth requests --- src/service/routes/auth.js | 15 +++++++++------ test/testLogin.test.js | 4 ++++ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/src/service/routes/auth.js b/src/service/routes/auth.js index ce6a4243..d92a1a23 100644 --- a/src/service/routes/auth.js +++ b/src/service/routes/auth.js @@ -23,20 +23,22 @@ router.get('/', (req, res) => { router.post('/login', passport.authenticate(passportType), async (req, res) => { try { + const currentUser = { ...req.user }; + delete currentUser.password; console.log( `serivce.routes.auth.login: user logged in, username=${ - req.user.username - } profile=${JSON.stringify(req.user)}`, + currentUser.username + } profile=${JSON.stringify(currentUser)}`, ); + res.send({ + message: 'success', + user: currentUser, + }); } catch (e) { console.log(`service.routes.auth.login: Error logging user in ${JSON.stringify(e)}`); res.status(500).send('Failed to login').end(); return; } - res.send({ - message: 'success', - user: req.user, - }); }); // when login is successful, retrieve user info @@ -115,6 +117,7 @@ router.get('/userLoggedIn', async (req, res) => { delete user.password; const login = user.username; const userVal = await db.findUser(login); + delete userVal.password; res.send(userVal); } else { res.status(401).end(); diff --git a/test/testLogin.test.js b/test/testLogin.test.js index 2fe614c5..e9155056 100644 --- a/test/testLogin.test.js +++ b/test/testLogin.test.js @@ -40,6 +40,10 @@ describe('auth', async () => { cookie = x.split(';')[0]; } }); + + const authMetadataResponse = await res.get('/api/auth/userLoggedIn'); + + authMetadataResponse.should.have.status(200); }); it('should now be able to access the profile', async function () {