javascript - How to prevent entire user models from leaking up into the jade template -
i working on log in portion of project working express, passport-local , mongoose. have set of routes:
module.exports = function (app) { app.get('/', function (req, res) { res.render('index', { user : req.user, title : "home" }); }); app.get('/register', function(req, res) { res.render('register', { }); }); app.post('/register', function(req, res) { athlete.register(new athlete({ username: req.param('username'), firstname: req.param('firstname'), lastname: req.param('lastname'), dob: req.param('dob') }), req.param('password'), function(err, athlete) { if (err) { console.log(err); return res.render('register'); } res.redirect('/'); }); }); app.get('/login', function(req, res) { res.render('login', { user : req.user.username }); }); app.post('/login', passport.authenticate('local'), function(req, res) { res.redirect('/'); }); app.get('/logout', function(req, res) { req.session.destroy(function (err) { res.redirect('/'); }); });}; i able sign in , sign out no problem , displays name per jade template using p= user.firstname jade syntax. though burping object contains salt, hash, model values. huge security issue , want wrap hear around going on between route , template. how can prevent entire user database object coming , part of code causing miscommunication.
first of user object won't leak jade rendered on server side until expose secret information in template. passing information won't result in leaking.
still if want restrict entire user passing jade, can add method in user schema , call method while using res.render.
userschema.methods.getsafeuser = function() { var user = this; //filter user per requirements here. return user; }
then in controller, use
res.render('index', { user : req.user.getsafeuser() });
Comments
Post a Comment