Merge pull request #32 from seanjohnite/sanitize3

add sanitize method

Author: joedotjs

generated/server/app/configure/authentication/index.js

@@ -47,7 +47,7 @@ module.exports = function (app) {
     // logged in already.
     app.get('/session', function (req, res) {
         if (req.user) {
-            res.send({ user: _.omit(req.user.toJSON(), ['salt', 'password']) });
+            res.send({ user: req.user.sanitize() });
         } else {
             res.status(401).send('No authenticated user.');
         }

generated/server/app/configure/authentication/local.js

@@ -44,7 +44,7 @@ module.exports = function (app) {
                 if (loginErr) return next(loginErr);
                 // We respond with a response object that has user with _id and email.
                 res.status(200).send({
-                    user: _.omit(user.toJSON(), ['password', 'salt'])
+                    user: user.sanitize()
                 });
             });
 

generated/server/db/models/user.js

@@ -26,6 +26,11 @@ var schema = new mongoose.Schema({
     }
 });
 
+// method to remove sensitive information from user objects before sending them out
+schema.methods.sanitize =  function () {
+    return _.omit(this.toJSON(), ['password', 'salt']);
+};
+
 // generateSalt, encryptPassword and the pre 'save' and 'correctPassword' operations
 // are all used for local authentication security.
 var generateSalt = function () {

generated/tests/server/models/user-test.js

@@ -142,6 +142,23 @@ describe('User model', function () {
 
         });
 
+        describe('sanitize method', function () {
+
+            var createUser = function () {
+                return User.create({ email: '[email protected]', password: 'potus' });
+            };
+
+            it('should remove sensitive information from a user object', function () {
+                createUser().then(function (user) {
+                    var sanitizedUser = user.sanitize();
+                    expect(user.password).to.be.ok;
+                    expect(user.salt).to.be.ok;
+                    expect(sanitizedUser.password).to.be.undefined;
+                    expect(sanitizedUser.salt).to.be.undefined;
+                });
+            });
+        });
+
     });
 
 });