From 9d0b3f6f014d6f7013f9685b29c236c74f8cee98 Mon Sep 17 00:00:00 2001 From: Randall Degges Date: Fri, 18 Sep 2015 16:38:58 -0700 Subject: [PATCH] Implementing sanitizeFormData helper. --- lib/helpers.js | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/lib/helpers.js b/lib/helpers.js index b21754c3..d485f00f 100644 --- a/lib/helpers.js +++ b/lib/helpers.js @@ -538,3 +538,32 @@ module.exports.validateAccount = function(accountData, stormpathConfig, callback }); }); }; + +/** + * Removes all password data from existing user-submitted form data. + * + * This is useful because when a user incorrectly logs in, or registers for a + * website, we should return all form data to the templates so it can have the + * pre-filled values populated -- EXCEPT for the password information. This + * ensures a password is never sent BACK to a browser. + * + * This helper function should only be used when + * + * @param {Object} formData - The user supplied form data. + * @param {Object} stormpathConfig - The Stormpath configuration object. + * @returns {Object} The sanitized form data. + */ +module.exports.sanitizeFormData = function(formData, stormpathConfig) { + if (!formData) { + throw new Error('sanitizeFormData must be provided with a formData argument.'); + } + + if (!stormpathConfig) { + throw new Error('sanitizeFormData must be provided with a stormpathConfig argument.'); + } + + delete formData[stormpathConfig.web.register.fields.password.name]; + delete formData[stormpathConfig.web.register.fields.passwordConfirm.name]; + + return formData; +};