[Bug][Security] Hashed Password Returned in Signup/Login Response

[pythonpioneer]

Security Flaw: Hashed Password Returned in Signup/Login Response

Description

The current authentication implementation returns the hashed password in the API response after a user signs up (and potentially logs in).

Example response:

{
  "data": {
    "email": "example@gmail.com",
    "password": "$2b$10$hashedvalue...",
    "_id": "abc123",
    "__v": 0
  },
  "message": "signup"
}

Why This Is a Security Concern

While the password is hashed, returning it in any response:

• Violates security best practices.
• Increases the attack surface if logs or downstream services mishandle data.
• May lead to accidental exposure or misuse.

Even though it's not plaintext, it should never leave the server once stored.

Suggested Fix

Before sending user data in the response, exclude the password field explicitly:

const userData: User = req.body;
const { cookie, findUser } = await this.auth.login(userData);

// updated section
const { password, _id, email, ...restInfo } = findUser;
void password;
void restInfo;
const userSecuredInfo = { _id, email };

res.setHeader('Set-Cookie', [cookie]);
res.status(200).json({ data: userSecuredInfo, message: 'login' });

Additional Recommendation: Centralized Response Handling

To further improve response safety and consistency, consider implementing a centralized response utility (e.g., apiResponse) that:

• Standardizes success and error responses.
• Automatically strips sensitive fields like passwords.
• Handles cookies and headers consistently.
• Adds request metadata (IP, headers, etc.) for better traceability.
• Makes testing and debugging cleaner.

This ensures no sensitive data ever leaks, even if a developer forgets to sanitize individual responses.

Benefits

• Adheres to secure coding best practices.
• Reduces the risk of accidental sensitive data exposure.
• Makes the codebase more maintainable and scalable for future features.

I'd be happy to contribute or open a PR if you're open to it. Please let me know which direction you prefer, either filtering the fields here or introducing a centralized response layer.

[ljlm0402]

@pythonpioneer

Thank you for the nice words.

I'm currently in the middle of a big patch on the project, so I'll update it as soon as possible and get back to you with a good library. I'll also take note of the advice.

Have a nice day 🤍

[pythonpioneer]

@ljlm0402

Sounds good! Thanks for taking it into consideration. Happy to hear that a patch is in the works.

Let me know if I can assist with the fix or submit a PR to help speed things up. Looking forward to seeing the update.

Cheers!

[ljlm0402]

We will close this issue with the release of a new version.