Browser
Chrome
Area
Auth (login / Google sign-in)
Steps to reproduce
- Check the
attachUser function in auth.js middleware.
- Notice that it finds user based on userId provided by cookie and attaches the whole user object from database to req.user
- Login using
/dev-login so that splitt cookie is set and access any route protected by requireAuth.
- The
/me route selects particular data from req.user but full user data is still available for downstream routes/controllers.
- If suppose a downstream route directly returns
req.user, then the sensitive fields might be exposed accidently.
Expected behavior
The auth.js middleware should only attach safe user fields to req.user object.
What actually happened
The auth.js middleware attaches the whole user object from the database to 'req.user', as Prisma findUnique() returns the whole object.
Logs / Screenshots
No response
Browser
Chrome
Area
Auth (login / Google sign-in)
Steps to reproduce
attachUserfunction inauth.jsmiddleware./dev-loginso that splitt cookie is set and access any route protected by requireAuth./meroute selects particular data fromreq.userbut full user data is still available for downstream routes/controllers.req.user, then the sensitive fields might be exposed accidently.Expected behavior
The
auth.jsmiddleware should only attach safe user fields toreq.userobject.What actually happened
The
auth.jsmiddleware attaches the whole user object from the database to 'req.user', asPrisma findUnique()returns the whole object.Logs / Screenshots
No response