Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Payload limiting on `app.get('user')`? #354

leebenson opened this Issue Nov 26, 2016 · 2 comments


None yet
2 participants
Copy link

leebenson commented Nov 26, 2016

There seem to be two options for limiting 'user' object fields:

1. Payload
i.e. the stuff that goes into the JWT token, set on token: { payload { /* set here */ }} in the call to .authentication on the server.

2. Using 'after' hooks
i.e. hooks.remove('password')

So far, so good.

Except app.get('user') on the client side seems to return the full user object, minus only the password field. If there are any other private fields returned by the service (in my case, using knex) then those are still exposed.

Is there a way to limit what the client sees via app.get('user')?

This isn't so much for security in my case, and more to limit bandwidth to data that I'll actually use. I have a lot of normalised statistical stuff in my user tables that aren't really relevant to send down the wire.


This comment has been minimized.

Copy link

daffl commented Nov 30, 2016

That's why auth 1.0 client is doing a separate get to get the user (with all the hooks). I recommend upgrading to 1.0-beta (see


This comment has been minimized.

Copy link

leebenson commented Nov 30, 2016

great, I'll do that. Thanks @daffl

@leebenson leebenson closed this Nov 30, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.