Should `ctx.state.user` contains `password`?

[fancyoung]

When I use koa-passwort with passport-local, user database info such as password are in ctx.state.user.

What's ctx.state.user used for ? Should I wrap(remove password) it before pass to frontend, or I made some mistake ?

[rkusa]

passport-local usually puts puts the username and password into req.user. koa has ctx.state for custom data, which is why the object is put into ctx.state.user instead.

What's ctx.state.user used for ? Should I wrap(remove password) it before pass to frontend, or I made some mistake ?

Yes, you should definitely not return the password to the frontend (and also don't have it as plain text available in the database object). I think most passport-local usages serialize and deserialize the user by its ID (and not the whole object), see e.g. https://github.com/rkusa/koa-passport-example/blob/master/auth.js#L11-L13).