hide the salt and hashed_pwd on the client side

[mic0331]

Hello,

thank you very much for your course, it is a really good piece of knowledge !

At some point during the explanation you mention that salt and hashed_pwd should not be transmit to the client side of the angular app. Could you please highlight exactly where the filtering to remove these two fields should be made on the server side ?

I tried in the passport.js file but this confuse the update procedure for the profile...

passport.deserializeUser(function(id, done) {
        User.findOne({_id:id}).exec(function(err, user) {
            if(user) {
                var mockUser = JSON.parse(JSON.stringify(user));
                delete mockUser['hashed_pwd'];
                delete mockUser['salt'];
                return done(null, mockUser);
            } else {
                return done(null, false);
            }
        })
    });

Thanks in advance for your help

[joeeames]

it's not a simple to explain answer.... :( Not to cop out, but it would probably take a couple hours to work up an explanation & example. Long answer short, learn mongoose and node/express better and you'll figure it out yourself before long. And until that point it probably won't matter...in fact you'll probably come up with something more appropriate for you than what I would suggest.

[mic0331]

Could you maybe give me a direction on where to focus my research. I implemented a similar app in the past with backbone.js mongoose and express and had the same issue to hide sensitive data on the client side.

Have a nice weekend

[joeeames]

you want to determine yourself what is going to the client vs what you pull from the db. so any routes which gather data and send it to the client you should have fine control of the data, and be very comfortable with mongoose so that you can get exactly what you want from mongo in the shape you want it. As far as tying that in with passport, I probably can't give you any better direction without looking closely at the problem myself. It's been so long since I wrote that code....I'm sorry. You might consider going to some kind of OAuth like facebook or G+ login instead of a local strategy....I've wanted to add to my MEAN course to show how to do that but haven't had time.

[mic0331]

Thanks, really appreciate your quick feedback. I will continue my learning journey. It would be nice to see some advanced courses on mongoose on pluralisght, maybe you know some good material on this subject (?) The oAuth or third party strategy authentication are really the route I should take for more security.. Thanks