Closed jamesvillarrubia closed 1 month ago
The authentication call will also return the safe external representation of the user object. I just tested it with a newly generated application and for me it is returning the data as expected:
Just to add @jamesvillarrubia , It'll be a good idea to put up a stackblitz repro or an example repo that could be run locally. Because it works as expected for me as well
Steps to reproduce
Expected behavior
Local Auth strategy return user without password hash.
Actual behavior
Local Auth strategy returns hashed password.
Investigation
From what I can tell the content.dispatch is only used in the http library, but in the authentication
getEntity
function, it's assuming that the resolver has removed sensitive fields. Since the request is internal and never gets to the http line, the user information is passed in whole. https://github.com/feathersjs/feathers/blob/82d30fd37914e61935e068e89fc389f6bf47aaad/packages/transport-commons/src/http.ts#L82I have added an around hook to compensate but this seems like the wrong strategy.
Options
1) Manually strip out the field in the Local Strategy, but leave internal calls with access to the user information, including password 2) Write a hook to set result to dispatch as a default. 3) Use a resolver in the Auth hooks to strip out the password.