Robin
Reputation: 1967
Is the req.user passed to the client?
I'm using node.js, express, express-session and passport.js to handle authentication in my project. In my routes.js I handle get-requests like this:
app.get('...', isLoggedIn, function(req, res, next) {
var user = req.user;
...
});
Inside the function I can get the user from the request parameter. My question is where the user object comes from? Is the user object passed to the client and back? Can the client change the user object in an attempt to inject code into my database?
Thanks in advance!
Upvotes: 1
Views: 451
Answers (1)
Luka Krajnc
Reputation: 915
req.user is intialized when session is created. req.user is equal to object user stored in session. Watch this video for more informations about authentication in node.js .And no, client cannot interact with you database through that.
Upvotes: 1
Related Questions
- req.user undefined despite successful signup with Passport and Express Session on NodeJS
- req.user is not being set to res.locals on app.use in express passport node js
- Passport user not set on Express session but is available on sockets handshake
- Passport.js is not passing user to request in req.login()
- Unable to access req.user in Passport.js on Express.js
- Passport.js - req.session.passport.user is not showing up
- Why is my req.user always null on load?
- Authentication with passport. Can I trust that req.user is indeed the logged in user?
- Express Passport.js: req.user VERSUS req.session.passport.user
- passport js req.user not available after req.login