Skip to content
This repository has been archived by the owner on Aug 30, 2021. It is now read-only.

Commit

Permalink
feat(users): prevent route leaking access token (#1417)
Browse files Browse the repository at this point in the history 
The test for authentication use a route /api/users/me. This should probably be upgraded to use
a proper passport mock.

In the meanwhile this should make the returned user object safer - using code from core.

Fixes n/a
  • Loading branch information
@Wuntenn @lirantal
Wuntenn authored and lirantal committed Aug 31, 2016
1 parent 55525bd commit 54ae7dc
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 4 deletions.
4 changes: 2 additions & 2 deletions modules/users/server/controllers/admin.server.controller.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ exports.delete = function (req, res) {
* List of Users
*/
exports.list = function (req, res) {
User.find({}, '-salt -password').sort('-created').populate('user', 'displayName').exec(function (err, users) {
User.find({}, '-salt -password -providerData').sort('-created').populate('user', 'displayName').exec(function (err, users) {
if (err) {
return res.status(400).send({
message: errorHandler.getErrorMessage(err)
Expand All @@ -80,7 +80,7 @@ exports.userByID = function (req, res, next, id) {
});
}

User.findById(id, '-salt -password').exec(function (err, user) {
User.findById(id, '-salt -password -providerData').exec(function (err, user) {
if (err) {
return next(err);
} else if (!user) {
Expand Down
23 changes: 21 additions & 2 deletions modules/users/server/controllers/users/users.profile.server.controller.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ var _ = require('lodash'),
mongoose = require('mongoose'),
multer = require('multer'),
config = require(path.resolve('./config/config')),
User = mongoose.model('User');
User = mongoose.model('User'),
validator = require('validator');

var whitelistedFields = ['firstName', 'lastName', 'email', 'username'];

Expand Down Expand Up @@ -141,5 +142,23 @@ exports.changeProfilePicture = function (req, res) {
* Send User
*/
exports.me = function (req, res) {
res.json(req.user || null);
// Sanitize the user - short term solution. Copied from core.server.controller.js
// TODO create proper passport mock: See https://gist.github.com/mweibel/5219403
var safeUserObject = null;
if (req.user) {
safeUserObject = {
displayName: validator.escape(req.user.displayName),
provider: validator.escape(req.user.provider),
username: validator.escape(req.user.username),
created: req.user.created.toString(),
roles: req.user.roles,
profileImageURL: req.user.profileImageURL,
email: validator.escape(req.user.email),
lastName: validator.escape(req.user.lastName),
firstName: validator.escape(req.user.firstName),
additionalProvidersData: req.user.additionalProvidersData
};
}

res.json(safeUserObject || null);
};

0 comments on commit 54ae7dc

Please sign in to comment.