search

waterlock / waterlock-local-auth

Local authentication method for waterlock
http://waterlock.ninja/
MIT License
39 stars 83 forks source link

`/auth/login` passes the password in the response #51

Open benedictchen opened 9 years ago

benedictchen commented 9 years ago

After logging in, the response payload includes the password field. No bueno.

{
  "id": 2,
  "createdAt": "2015-11-30T04:33:10.000Z",
  "updatedAt": "2015-11-30T04:33:10.000Z",
  "auth": {
    "password": "$2a$10$s.LXrJtBh0c1eDippcc3q.LRVls7eODn4QWHCTb27AX6XGv/ZN7lu",
    "email": "abc@abc.com",
    "id": 2,
    "createdAt": "2015-11-30T04:33:10.000Z",
    "updatedAt": "2015-11-30T04:33:10.000Z",
    "resetToken": null
  }
}
enten commented 8 years ago

I'm a new user. I propose to edit controller/actions/logins

/**
 * Login action
 */
module.exports = function(req, res){

  var scope = require('../../scope')(waterlock.Auth, waterlock.engine);
  var params = req.params.all();

  if(typeof params[scope.type] === 'undefined' || typeof params.password !== 'string'){
    waterlock.cycle.loginFailure(req, res, null, {error: 'Invalid '+scope.type+' or password'});
  }else{
    var pass = params.password;
    scope.getUserAuthObject(params, req, function(err, user){
      if (err) {
        if (err.code === 'E_VALIDATION') {
          return res.status(400).json(err);
        } else {
          return res.serverError(err);
        }
      }
      if (user) {
/*  + */var originalPass = user.auth.password;
/*  + */delete user.auth.password;
/* -+ */if(bcrypt.compareSync(pass, originalPass)){
          waterlock.cycle.loginSuccess(req, res, user);
        }else{
          waterlock.cycle.loginFailure(req, res, user, {error: 'Invalid '+scope.type+' or password'});
        }
      } else {
        //TODO redirect to register
        waterlock.cycle.loginFailure(req, res, null, {error: 'user not found'});
      }
    });
  }
};