Hide hash and salt fields of user in register() #226
Conversation
Usually, in `register()` callback, you do not need salt and hash anymore. They should be hidden to avoid exposing to API.
After authentication, salt and hash are usually not used anymore. It is better to drop them to avoid exposing in `req.user`
|
I think this breaks things... |
|
Was this reverted? Doesn't seem to be in master, and I'm still getting hash and salt in my session. |
|
@saintedlama authenticate and register both seem to expose the sensitive fields on the user object |
|
Old thread... I have a scenario where exposing hash/ salt is needed on register, change password and through another channel - I'm using the mqtt-auth-plug which requires passwords to be stored as outlined here: https://github.com/jpmens/mosquitto-auth-plug#passwords At present, the register() and authenticate() functions return the hash, which is means I'm able to use this to generate the required hash format for MQTT auth to work. If nullifying these fields becomes the default, can we have an option to expose them for scenarios such as the one outlined above? Or is there another way to get salt/ hash? findOne() for example does not return these either. |
Usually, in
register()callback, you do not need salt and hash anymore. They should be hidden to avoid exposing to API.