Merge branch 'remove-passwordHash-from-login' into 'master'

fix(authenticate): remove passwordHash from login response See merge request pubsweet/pubsweet!430

Merge branch 'remove-passwordHash-from-login' into 'master'
fix(authenticate): remove passwordHash from login response See merge request pubsweet/pubsweet!430
4f2bf5f6 · Jure · 526293d4 · 1a978da6 · 4f2bf5f6 · 4f2bf5f6
Commit 4f2bf5f6 authored 6 years ago by Jure
--- a/packages/server/src/routes/api_users.js
+++ b/packages/server/src/routes/api_users.js
@@ -26,13 +26,19 @@ const {
 } = require('./util')

 // Issue a token
-api.post('/users/authenticate', authLocal, (req, res) =>
-  res
-    .status(STATUS.CREATED)
-    .json(
-      Object.assign({ token: authentication.token.create(req.user) }, req.user),
-    ),
-)
+api.post('/users/authenticate', authLocal, async (req, res) => {
+  const user = Object.assign(
+    { token: authentication.token.create(req.user) },
+    req.user,
+  )
+  req.user = req.user.id
+  const properties = await applyPermissionFilter({
+    req,
+    target: user,
+  })
+
+  return res.status(STATUS.CREATED).json(properties)
+})

 // Verify a token
 api.get('/users/authenticate', authBearer, async (req, res, next) => {

--- a/packages/server/test/api_users_test.js
+++ b/packages/server/test/api_users_test.js
@@ -126,6 +126,15 @@ describe('users api', () => {
          expect(res.statusCode).toEqual(STATUS.UNAUTHORIZED)
        }))

+    it('can filter response with authsome', async () => {
+      const response = await api.request.post('/api/users/authenticate').send({
+        username: fixtures.otherUser.username,
+        password: fixtures.otherUser.password,
+      })
+
+      expect(Object.keys(response.body)).not.toContain('passwordHash')
+    })
+
    it('can verify its token', async () => {
      const token = await api.users.authenticate.post(fixtures.otherUser)
      const res = await api.users.authenticate.get(token).expect(STATUS.OK)

--- a/packages/server/test/helpers/authsome_mode.js
+++ b/packages/server/test/helpers/authsome_mode.js
@@ -219,6 +219,13 @@ async function authenticatedUser(user, operation, object, context) {
    }
  }

+  // filter user properties on login
+  if (operation === 'POST' && get(object, 'type') === 'user') {
+    return {
+      filter: body => omit(body, ['passwordHash']),
+    }
+  }
+
  // If no individual permissions exist (above), fallback to unauthenticated
  // user's permission
  return unauthenticatedUser(operation, object)