fix(master): Remove credentials from action payloads after use (#556)

Credentials are only used to check if an action is authorized in the master and should not then be passed on to the reducer etc. This contributes towards #227, because now credentials should not leak beyond the `Master.onUpdate` method and won’t end up for example in the game log.
boardgameio · Mar 7, 2020 · ec7f0ad · ec7f0ad
1 parent a080ce3
commit ec7f0ad
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/src/master/master.js b/src/master/master.js
@@ -82,6 +82,18 @@ export const isActionFromAuthenticPlayer = (
   return actionCredentials === playerMetadata.credentials;
 };
 
+/**
+ * Remove player credentials from action payload
+ */
+const stripCredentialsFromAction = action => {
+  if ('payload' in action && 'credentials' in action.payload) {
+    // eslint-disable-next-line no-unused-vars
+    const { credentials, ...payload } = action.payload;
+    action = { ...action, payload };
+  }
+  return action;
+};
+
 /**
  * Master
  *
@@ -136,6 +148,8 @@ export class Master {
       return { error: 'unauthorized action' };
     }
 
+    action = stripCredentialsFromAction(action);
+
     const key = gameID;
 
     let state;