chore: dont leak password in auth requests

finos · Oct 6, 2024 · dda2f5b · dda2f5b
1 parent 52c2109
commit dda2f5b
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/src/service/routes/auth.js b/src/service/routes/auth.js
@@ -23,20 +23,22 @@ router.get('/', (req, res) => {
 
 router.post('/login', passport.authenticate(passportType), async (req, res) => {
   try {
+    const currentUser = { ...req.user };
+    delete currentUser.password;
     console.log(
       `serivce.routes.auth.login: user logged in, username=${
-        req.user.username
-      } profile=${JSON.stringify(req.user)}`,
+        currentUser.username
+      } profile=${JSON.stringify(currentUser)}`,
     );
+    res.send({
+      message: 'success',
+      user: currentUser,
+    });
   } catch (e) {
     console.log(`service.routes.auth.login: Error logging user in ${JSON.stringify(e)}`);
     res.status(500).send('Failed to login').end();
     return;
   }
-  res.send({
-    message: 'success',
-    user: req.user,
-  });
 });
 
 // when login is successful, retrieve user info
@@ -115,6 +117,7 @@ router.get('/userLoggedIn', async (req, res) => {
     delete user.password;
     const login = user.username;
     const userVal = await db.findUser(login);
+    delete userVal.password;
     res.send(userVal);
   } else {
     res.status(401).end();