Merge pull request finos#741 from lwhiteley/dont-leak-password

chore: dont leak password from server

Author: JamieSlome

src/db/mongo/users.js

@@ -9,7 +9,7 @@ exports.findUser = async function (username) {
 exports.getUsers = async function (query) {
   console.log(`Getting users for query= ${JSON.stringify(query)}`);
   const collection = await connect(usersCollection);
-  return collection.find(query).toArray();
+  return collection.find(query, { password: 0 }).toArray();
 };
 
 exports.deleteUser = async function (username) {

src/service/routes/auth.js

@@ -23,20 +23,22 @@ router.get('/', (req, res) => {
 
 router.post('/login', passport.authenticate(passportType), async (req, res) => {
   try {
+    const currentUser = { ...req.user };
+    delete currentUser.password;
     console.log(
       `serivce.routes.auth.login: user logged in, username=${
-        req.user.username
-      } profile=${JSON.stringify(req.user)}`,
+        currentUser.username
+      } profile=${JSON.stringify(currentUser)}`,
     );
+    res.send({
+      message: 'success',
+      user: currentUser,
+    });
   } catch (e) {
     console.log(`service.routes.auth.login: Error logging user in ${JSON.stringify(e)}`);
     res.status(500).send('Failed to login').end();
     return;
   }
-  res.send({
-    message: 'success',
-    user: req.user,
-  });
 });
 
 // when login is successful, retrieve user info
@@ -115,6 +117,7 @@ router.get('/userLoggedIn', async (req, res) => {
     delete user.password;
     const login = user.username;
     const userVal = await db.findUser(login);
+    delete userVal.password;
     res.send(userVal);
   } else {
     res.status(401).end();

test/testLogin.test.js

@@ -42,6 +42,11 @@ describe('auth', async () => {
       });
     });
 
+    it('should now be able to access the user login metadata', async function () {
+      const res = await chai.request(app).get('/api/auth/userLoggedIn').set('Cookie', `${cookie}`);
+      res.should.have.status(200);
+    });
+
     it('should now be able to access the profile', async function () {
       const res = await chai.request(app).get('/api/auth/profile').set('Cookie', `${cookie}`);
       res.should.have.status(200);