fix(security): remove hash and salt from default selection

balthazar · balthazar · commit 5786757d724a · 2015-11-27T13:39:15.000+01:00
Closes #24.
diff --git a/app/templates/server/api/user(auth)/user.controller.js b/app/templates/server/api/user(auth)/user.controller.js
@@ -1,7 +1,8 @@
 'use strict';
 
-var config = require('../../config/environment');
-var jwt = require('jsonwebtoken');
+var _ = require('lodash');
+
+var authService = require('../../auth/auth.service');
 var User = require('./user.model');
 
 function handleError (res, err) {
@@ -27,12 +28,10 @@ function handleError (res, err) {
 exports.create = function (req, res) {
   User.create(req.body, function (err, user) {
     if (err) { return handleError(res, err); }
-    var token = jwt.sign(
-      { _id: user._id },
-      config.secrets.session,
-      { expiresInMinutes: 60 * 5 }
-    );
-    res.status(201).json({ token: token, user: user });
+    res.status(201).json({
+      user: _.omit(user.toObject(), ['passwordHash', 'salt']),
+      token: authService.signToken(user._id)
+    });
   });
 };
 <% if (!filters.apidoc) { %>
@@ -51,10 +50,7 @@ exports.create = function (req, res) {
  *
  */<% } %>
 exports.getMe = function (req, res) {
-  var userId = req.user._id;
-  User.findOne({
-    _id: userId
-  }, '-salt -passwordHash', function (err, user) {
+  User.findById(req.user._id, function (err, user) {
     if (err) { return handleError(res, err); }
     if (!user) { return res.json(401); }
     res.status(200).json(user);
diff --git a/app/templates/server/api/user(auth)/user.model.js b/app/templates/server/api/user(auth)/user.model.js
@@ -6,8 +6,8 @@ var Schema = mongoose.Schema;
 
 var UserSchema = new Schema({
   email: String,
-  passwordHash: String,
-  salt: String
+  passwordHash: { type: String, select: false },
+  salt: { type: String, select: false }
 });
 
 /**
diff --git a/app/templates/server/auth(auth)/local/index.js b/app/templates/server/auth(auth)/local/index.js
@@ -1,7 +1,9 @@
 'use strict';
 
+var _ = require('lodash');
 var express = require('express');
 var passport = require('passport');
+
 var auth = require('../auth.service');
 
 var router = express.Router();
@@ -11,8 +13,10 @@ router.post('/', function (req, res, next) {
     var error = err || info;
     if (error) { return res.status(401).json(error); }
     if (!user) { return res.status(401).json({ msg: 'login failed' }); }
-    var token = auth.signToken(user._id);
-    res.json({ token: token, user: user });
+    res.json({
+      user: _.omit(user.toObject(), ['passwordHash', 'salt']),
+      token: auth.signToken(user._id)
+    });
   })(req, res, next);
 });
 
diff --git a/app/templates/server/auth(auth)/local/passport.js b/app/templates/server/auth(auth)/local/passport.js
@@ -12,7 +12,7 @@ passport.use(new LocalStrategy({
   function (email, password, done) {
     User.findOne({
       email: email
-    }, function (err, user) {
+    }, '+passwordHash +salt', function (err, user) {
       if (err) { return done(err); }
       if (!user) { return done(null, false, { msg: 'email not found' }); }
       if (!user.authenticate(password)) {
