At the moment, some of the Openmaize modules send a lot of user information down the line to the controller functions. Care is taken not to reveal any sensitive information to the user or in the logs. However, I feel that more care should be taken to prevent sensitive details being returned by any of the Openmaize modules.
Proposal
Either remove or filter the entries for password_hash, otp_secret, confirmation_token and reset_token from the user model before returning it.
At the moment, some of the Openmaize modules send a lot of user information down the line to the controller functions. Care is taken not to reveal any sensitive information to the user or in the logs. However, I feel that more care should be taken to prevent sensitive details being returned by any of the Openmaize modules.
Proposal
Either remove or filter the entries for password_hash, otp_secret, confirmation_token and reset_token from the user model before returning it.