Skip to content

Commit

Permalink
fix(security): remove hash and salt from default selection
Browse files Browse the repository at this point in the history 
Closes #24.
  • Loading branch information
@balthazar
balthazar committed Nov 27, 2015
1 parent 177967a commit 5786757
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 17 deletions.
20 changes: 8 additions & 12 deletions app/templates/server/api/user(auth)/user.controller.js
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
'use strict';

var config = require('../../config/environment');
var jwt = require('jsonwebtoken');
var _ = require('lodash');

var authService = require('../../auth/auth.service');
var User = require('./user.model');

function handleError (res, err) {
Expand All @@ -27,12 +28,10 @@ function handleError (res, err) {
exports.create = function (req, res) {
User.create(req.body, function (err, user) {
if (err) { return handleError(res, err); }
var token = jwt.sign(
{ _id: user._id },
config.secrets.session,
{ expiresInMinutes: 60 * 5 }
);
res.status(201).json({ token: token, user: user });
res.status(201).json({
user: _.omit(user.toObject(), ['passwordHash', 'salt']),
token: authService.signToken(user._id)
});
});
};
<% if (!filters.apidoc) { %>
Expand All @@ -51,10 +50,7 @@ exports.create = function (req, res) {
*
*/<% } %>
exports.getMe = function (req, res) {
var userId = req.user._id;
User.findOne({
_id: userId
}, '-salt -passwordHash', function (err, user) {
User.findById(req.user._id, function (err, user) {
if (err) { return handleError(res, err); }
if (!user) { return res.json(401); }
res.status(200).json(user);
Expand Down
4 changes: 2 additions & 2 deletions app/templates/server/api/user(auth)/user.model.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ var Schema = mongoose.Schema;

var UserSchema = new Schema({
email: String,
passwordHash: String,
salt: String
passwordHash: { type: String, select: false },
salt: { type: String, select: false }
});

/**
Expand Down
8 changes: 6 additions & 2 deletions app/templates/server/auth(auth)/local/index.js
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
'use strict';

var _ = require('lodash');
var express = require('express');
var passport = require('passport');

var auth = require('../auth.service');

var router = express.Router();
Expand All @@ -11,8 +13,10 @@ router.post('/', function (req, res, next) {
var error = err || info;
if (error) { return res.status(401).json(error); }
if (!user) { return res.status(401).json({ msg: 'login failed' }); }
var token = auth.signToken(user._id);
res.json({ token: token, user: user });
res.json({
user: _.omit(user.toObject(), ['passwordHash', 'salt']),
token: auth.signToken(user._id)
});
})(req, res, next);
});

Expand Down
2 changes: 1 addition & 1 deletion app/templates/server/auth(auth)/local/passport.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ passport.use(new LocalStrategy({
function (email, password, done) {
User.findOne({
email: email
}, function (err, user) {
}, '+passwordHash +salt', function (err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false, { msg: 'email not found' }); }
if (!user.authenticate(password)) {
Expand Down

0 comments on commit 5786757

Please sign in to comment.