Menu
I'm using PassportJS local strategy for user authentication, its working totally fine on. However when I try to console.log(req.user) on any authenticated page, I get all DB entry details of the current logged in user. Is this normal ? Including hashed Password
{
name: 'Test',
email: '[email protected]',
password: '$2a$10$aw2aMtXtrmKHi.kd97c0NeMOu6Y0hlcM4xk2VuqfneLYdEkc676eq',
phone: 9xxxxx6,
_enabled: true,
_id: 5253f326003e55f028000001,
__v: 0
}
My local strategy is defined like this.
passport.use(new strategy(function(username, password, done) {
User.findOne({ "email": username }, function(err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false, { message: 'Unknown user ' + username }); }
if(user._enabled==false) return done(null,false,{message: "Dear "+user.name+", Please verify your email first!"});
if(bcrypt.compareSync(password,user.password)){
return done(null, user);
app.set("userEmail",username);
}
else {
return done(null, false, { message: 'Invalid password' });
}
db.close();
})
}));
Is there any possibility that this data can be tampered with ?
522
Yes it can be tmpered. User which is bind to req object is loaded using deserializeUser.
Please see: http://passportjs.org/guide/configure/ and "Sessions" section.
61
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
