Middleware sometimes exposes full user data

mark1502 commented 1 year ago

Not sure if this is the right place for this, but while using Laravel Breeze/Vue with Inertia, I noticed the middleware (HandleInertiaRequests.php) sometimes exposes the full user data. Here's the line:

public function share(Request $request)
    {
        return array_merge(parent::share($request), [
            'auth' => [
                'user' => $request->user(),
            ],

Sometimes null is returned, but sometimes the entire user record is returned. This seems like it could pose a problem by unintentionally exposing some user data.

I changed the assignment like this to address the issue, but I'm not sure if that's ok:

'user' => $request->user() ? $request->user()->only(['name','email']) : null,

Thanks

kido1611 commented 1 year ago

I think your solution is ok. Check this https://inertiajs.com/shared-data#sharing-data.

crnkovic commented 1 year ago

There's a great video on this topic at Laracasts: https://laracasts.com/series/inertia-and-spa-techniques/episodes/3

Yes, you should always cherry-pick attributes that you want to expose publicly.

reinink commented 1 year ago

Thanks for sharing that link @crnkovic, you're exactly right. Never blindly pass all your model data to Inertia.js. We actually mention this in our docs:

To ensure that pages load quickly, only return the minimum data required for the page. Also, be aware that all data returned from the controllers will be visible client-side, so be sure to omit sensitive information.

Hope that helps! 👍

inertiajs / inertia-laravel

Middleware sometimes exposes full user data #474