authentication-local with Sequelize doesn't protect password on Sequelize error #691

tdolphin · 2018-08-01T20:38:34Z

feathers generate authentication
use Sequelize (postgres)
users.model.js has email field as unique
create another user with same email
Sequelize error sent in BadRequest 400 contains password.
Add hook to error in users.hooks.js has no effect.
error: { all: [protect('errors')], find: [], get: [], create: [], update: [], patch: [], remove: [] }
Tried variation:
protect('errors[0].instance.password')
Tried using omit directly with no effect.

protect/omit in error hooks should have effect

protect/omit in error hooks not called.
throw feathersError; feathers-sequelize/lib/utils

Module versions (especially the part that's not working):
authentication-local 1.2.1
feathers-sequelize 3.1.2

NodeJS version: 10.7

Operating System: windows 10

Browser Version: postman

Module Loader: npm

The text was updated successfully, but these errors were encountered:

daffl · 2018-08-01T20:53:09Z

Similar to feathersjs-ecosystem/errors#115 - basically feathers-sequelzize should not really pass through - or clean up - any of those errors.

Additionally, it is true, the protect hook in https://github.com/feathersjs/authentication-local/blob/master/lib/hooks/protect.js should also do this for context.error

daffl · 2019-05-08T05:35:49Z

This has been done in the latest feathers-sequelize.

daffl closed this as completed May 8, 2019

StevePavlin mentioned this issue Oct 21, 2019

User hook exposing password on error with protect.all hook enabled feathersjs/feathers#1633

Closed

Provide feedback