passing user to the browser in meanjs

Question

I'm reading source code of meanjs project to learn javascript and MEAN better. There is an expression:

    <!--Embedding The User Object-->
    <script type="text/javascript">
        var user = {{ user | json | safe }};
    </script>

I understand that it is sending the user record as a json object to the browser, but can't find 'safe' filter on google. Could anyone please point me to the right direction or explain what this is?

Answer 1

Yes, the user object is actually getting passed to the browser, and it actually displays in the source code. In practice, my deployed app has this in the source code (actual data generalized):

<!--Embedding The User Object-->
<script type="text/javascript">
    var user = {"_id":"123abc456xyzetc","displayName":"First Last","provider":"local","username":"newguy","__v":0,"roles":["admin"],"email":"my@email.com","lastName":"Last","firstName":"First"};
</script>

As you can see, it actually dumps user information into the source code, which isn't the most secure way to develop an app. If you comment out or remove the line in your layout.server.view.html file (var user = {{ user | json | safe }};), then you can't really log in. It logs you in, then immediately kicks you out.

You'll notice, though, in your config > passport.js file that some information is removed before being passed back to the browser, starting at around line 14:

// Deserialize sessions
passport.deserializeUser(function(id, done) {
    User.findOne({
        _id: id
    // The following line is removing sensitive data. In theory, you could remove other data using this same line.
    }, '-salt -password -updated -created', function(err, user) {
        done(err, user);
    });
});

If you do decide to remove additional fields, though, be aware that this can break your app. I removed the user id, for example, and most of my app worked, but it broke some specific functions (I believe it was Articles, if I remember right).