CODEWITHSUNDEEP
node.jsservletsexpresspassport.js
Anathema.Imbued
Anathema.Imbued

Reputation: 3491

PassportJS req.user sending all user data

I'm using PassportJS local strategy for user authentication, its working totally fine on. However when I try to console.log(req.user) on any authenticated page, I get all DB entry details of the current logged in user. Is this normal ? Including hashed Password

{ 
    name: 'Test',
    email: '[email protected]',
    password: '$2a$10$aw2aMtXtrmKHi.kd97c0NeMOu6Y0hlcM4xk2VuqfneLYdEkc676eq',
    phone: 9xxxxx6,
    _enabled: true,
    _id: 5253f326003e55f028000001,
    __v: 0 
}

My local strategy is defined like this.

passport.use(new strategy(function(username, password, done) {
 User.findOne({ "email": username }, function(err, user) {
  if (err) { return done(err); }
  if (!user) { return done(null, false, { message: 'Unknown user ' + username }); }
  if(user._enabled==false) return done(null,false,{message: "Dear "+user.name+", Please verify your email first!"});
  if(bcrypt.compareSync(password,user.password)){
    return done(null, user);
    app.set("userEmail",username);
    } 
   else {
    return done(null, false, { message: 'Invalid password' });
    }
 db.close();
})
}));

Is there any possibility that this data can be tampered with ?

Upvotes: 5

Views: 1147

Answers (2)

Anathema.Imbued
Anathema.Imbued

Reputation: 3491

Okei I got the answer, I was not deerializing properly !

passport.deserializeUser(function(id, done) {
    User.findOne({_id:id}, function (err, user) {
    done(err, user._id);
  });
});

Upvotes: 0

irla
irla

Reputation: 489

Yes it can be tmpered. User which is bind to req object is loaded using deserializeUser.

Please see: http://passportjs.org/guide/configure/ and "Sessions" section.

Upvotes: 1

Related Questions