New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hide hash and salt fields of user in register() #226

Merged
merged 4 commits into from Aug 18, 2017

Conversation

Projects
None yet
5 participants
@guoyunhe
Contributor

guoyunhe commented Aug 18, 2017

Usually, in register() callback, you do not need salt and hash anymore. They should be hidden to avoid exposing to API.

Hide hash and salt fields of user in register()
Usually, in `register()` callback, you do not need salt and hash anymore. They should be hidden to avoid exposing to API.

guoyunhe added some commits Aug 18, 2017

Hide hash and salt of user in authenticate callback
After authentication, salt and hash are usually not used anymore. It is better to drop them to avoid exposing in `req.user`

@saintedlama saintedlama merged commit f928443 into saintedlama:master Aug 18, 2017

2 checks passed

codacy/pr Good work! A positive pull request.
Details
security/snyk No new vulnerabilities
Details
@resteinbock

This comment has been minimized.

resteinbock commented Aug 25, 2017

I think this breaks things...

@roblingle

This comment has been minimized.

roblingle commented Sep 20, 2017

Was this reverted? Doesn't seem to be in master, and I'm still getting hash and salt in my session.

@davejm

This comment has been minimized.

davejm commented Apr 4, 2018

@saintedlama authenticate and register both seem to expose the sensitive fields on the user object

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment