Fix(users): Don't update secure profile fields

Avoid updating secure fields as password, salt ..etc through user profile update. Fixes meanjs#1420
shanavas786 · Aug 7, 2016 · 8bfd74a · 8bfd74a
1 parent 64392b1
commit 8bfd74a
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 8 deletions.
diff --git a/modules/users/server/controllers/users/users.profile.server.controller.js b/modules/users/server/controllers/users/users.profile.server.controller.js
@@ -18,16 +18,16 @@ var _ = require('lodash'),
 exports.update = function (req, res) {
   // Init Variables
   var user = req.user;
-
-  // For security measurement we remove the roles from the req.body object
-  delete req.body.roles;
-
-  // For security measurement do not use _id from the req.body object
-  delete req.body._id;
+  var secureFields = ['firstName', 'lastName', 'email', 'username'];
 
   if (user) {
-    // Merge existing user
-    user = _.extend(user, req.body);
+    // For security measurements update only secure fields
+    secureFields.forEach(function (field) {
+      if (req.body.hasOwnProperty(field)) {
+        user[field] = req.body[field];
+      }
+    });
+
     user.updated = Date.now();
     user.displayName = user.firstName + ' ' + user.lastName;
 

diff --git a/modules/users/tests/server/user.server.routes.tests.js b/modules/users/tests/server/user.server.routes.tests.js
@@ -807,6 +807,54 @@ describe('User CRUD tests', function () {
     });
   });
 
+  it('should not be able to update secure fields', function (done) {
+    var resetPasswordToken = 'password-reset-token';
+    user.resetPasswordToken = resetPasswordToken;
+
+    user.save(function (saveErr) {
+      if (saveErr) {
+        return done(saveErr);
+      }
+      agent.post('/api/auth/signin')
+        .send(credentials)
+        .expect(200)
+        .end(function (signinErr, signinRes) {
+          // Handle signin error
+          if (signinErr) {
+            return done(signinErr);
+          }
+          var userUpdate = {
+            password: 'Aw3$0m3P@ssWord',
+            salt: 'newsaltphrase',
+            created: new Date(2000, 9, 9),
+            resetPasswordToken: 'tweeked-reset-token'
+          };
+
+          // Get own user details
+          agent.put('/api/users')
+            .send(userUpdate)
+            .expect(200)
+            .end(function (err, res) {
+              if (err) {
+                return done(err);
+              }
+
+              User.findById(user._id, function (dbErr, updatedUser) {
+                if (dbErr) {
+                  return done(dbErr);
+                }
+
+                updatedUser.password.should.be.equal(user.password);
+                updatedUser.salt.should.be.equal(user.salt);
+                updatedUser.created.getTime().should.be.equal(user.created.getTime());
+                updatedUser.resetPasswordToken.should.be.equal(resetPasswordToken);
+                done();
+              });
+            });
+        });
+    });
+  });
+
   it('should not be able to update own user details if not logged-in', function (done) {
     user.roles = ['user'];