fix: use a public user object to prevent passwords and other secrets in user objects

andypols · andypols · commit c985308473e5 · 2025-07-04T21:28:42.000+01:00
diff --git a/src/db/mongo/users.ts b/src/db/mongo/users.ts
@@ -17,7 +17,7 @@ export const getUsers = async function (query: any = {}) {
   }
   console.log(`Getting users for query= ${JSON.stringify(query)}`);
   const collection = await connect(collectionName);
-  return collection.find(query, { password: 0 }).toArray();
+  return collection.find(query).project({ password: 0 }).toArray();
 };
 
 export const deleteUser = async function (username: string) {
diff --git a/src/service/routes/users.js b/src/service/routes/users.js
@@ -2,6 +2,17 @@ const express = require('express');
 const router = new express.Router();
 const db = require('../../db');
 
+const toPublicUser = (user) => {
+  return {
+    username: user.username || '',
+    displayName: user.displayName || '',
+    email: user.email || '',
+    title: user.title || '',
+    gitAccount: user.gitAccount || '',
+    admin: user.admin || false,
+  }
+}
+
 router.get('/', async (req, res) => {
   const query = {};
 
@@ -17,16 +28,16 @@ router.get('/', async (req, res) => {
     query[k] = v;
   }
 
-  res.send(await db.getUsers(query));
+  const users = await db.getUsers(query);
+  res.send(users.map(toPublicUser));
 });
 
 router.get('/:id', async (req, res) => {
   const username = req.params.id.toLowerCase();
   console.log(`Retrieving details for user: ${username}`);
   const data = await db.findUser(username);
   const user = JSON.parse(JSON.stringify(data));
-  if (user && user.password) delete user.password;
-  res.send(user);
+  res.send(toPublicUser(user));
 });
 
 module.exports = router;
diff --git a/test/services/routes/users.test.js b/test/services/routes/users.test.js
@@ -0,0 +1,67 @@
+const chai = require('chai');
+const chaiHttp = require('chai-http');
+const sinon = require('sinon');
+const express = require('express');
+const usersRouter = require('../../../src/service/routes/users');
+const db = require('../../../src/db');
+
+const { expect } = chai;
+chai.use(chaiHttp);
+
+describe('Users API', function () {
+  let app;
+
+  before(function () {
+    app = express();
+    app.use(express.json());
+    app.use('/users', usersRouter);
+  });
+
+  beforeEach(function () {
+    sinon.stub(db, 'getUsers').resolves([
+      {
+        username: 'alice',
+        password: 'secret-hashed-password',
+        email: 'alice@example.com',
+        displayName: 'Alice Walker',
+      },
+    ]);
+    sinon
+      .stub(db, 'findUser')
+      .resolves({ username: 'bob', password: 'hidden', email: 'bob@example.com' });
+  });
+
+  afterEach(function () {
+    sinon.restore();
+  });
+
+  it('GET /users only serializes public data needed for ui, not user secrets like password', async function () {
+    const res = await chai.request(app).get('/users');
+    expect(res).to.have.status(200);
+    expect(res.body).to.deep.equal([
+      {
+        username: 'alice',
+        displayName: 'Alice Walker',
+        email: 'alice@example.com',
+        title: '',
+        gitAccount: '',
+        admin: false,
+      },
+    ]);
+  });
+
+  it('GET /users/:id does not serialize password', async function () {
+    const res = await chai.request(app).get('/users/bob');
+    expect(res).to.have.status(200);
+    console.log(`Response body: ${res.body}`);
+
+    expect(res.body).to.deep.equal({
+      username: 'bob',
+      displayName: '',
+      email: 'bob@example.com',
+      title: '',
+      gitAccount: '',
+      admin: false,
+    });
+  });
+});
diff --git a/test/testDb.test.js b/test/testDb.test.js
@@ -241,7 +241,7 @@ describe('Database clients', async () => {
       TEST_USER.admin,
     );
 
-    // has less properties to prove that records are merged
+    // has fewer properties to prove that records are merged
     const updateToApply = {
       username: TEST_USER.username,
       gitAccount: 'updatedGitAccount',

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ export const getUsers = async function (query: any = {}) {`
`17`	`17`	`}`
`18`	`18`	console.log(`Getting users for query= ${JSON.stringify(query)}`);
`19`	`19`	`const collection = await connect(collectionName);`
`20`		`- return collection.find(query, { password: 0 }).toArray();`
	`20`	`+ return collection.find(query).project({ password: 0 }).toArray();`
`21`	`21`	`};`
`22`	`22`
`23`	`23`	`export const deleteUser = async function (username: string) {`