javascript - How to prevent entire user models from leaking up into the jade template -

i working on log in portion of project working express, passport-local , mongoose. have set of routes:

module.exports = function (app) {     app.get('/', function (req, res) {         res.render('index', { user : req.user, title : "home" });     });      app.get('/register', function(req, res) {         res.render('register', { });     });      app.post('/register', function(req, res) {             athlete.register(new athlete({             username: req.param('username'),             firstname: req.param('firstname'),             lastname: req.param('lastname'),             dob: req.param('dob')         }), req.param('password'), function(err, athlete) {             if (err) {                 console.log(err);                 return res.render('register');             }                 res.redirect('/');         });     });      app.get('/login', function(req, res) {         res.render('login', { user : req.user.username });     });      app.post('/login', passport.authenticate('local'), function(req, res) {         res.redirect('/');     });      app.get('/logout', function(req, res) {         req.session.destroy(function (err) {             res.redirect('/');         });     });};

i able sign in , sign out no problem , displays name per jade template using p= user.firstname jade syntax. though burping object contains salt, hash, model values. huge security issue , want wrap hear around going on between route , template. how can prevent entire user database object coming , part of code causing miscommunication.

first of user object won't leak jade rendered on server side until expose secret information in template. passing information won't result in leaking.

still if want restrict entire user passing jade, can add method in user schema , call method while using res.render.

userschema.methods.getsafeuser = function() {    var user = this;    //filter user per requirements here.     return user;

}

then in controller, use

res.render('index', { user : req.user.getsafeuser() });

Search This Blog

Brent

javascript - How to prevent entire user models from leaking up into the jade template -

Comments

Post a Comment

Popular posts from this blog

commonjs - How to write a typescript definition file for a node module that exports a function? -

openid - Okta: Failed to get authorization code through API call -

ios - Change Storyboard View using Seague -