diff --git a/test/api/get_user.coffee b/test/api/get_user.coffee new file mode 100644 index 0000000000..530fa398a9 --- /dev/null +++ b/test/api/get_user.coffee @@ -0,0 +1,25 @@ +'use strict' + +require('../../website/src/server') + +describe 'User', -> + + before (done) -> + registerNewUser done, true + + describe 'GET /user', -> + it 'removes password from user object', (done) -> + request.get(baseURL + '/user') + .end (err, res) -> + expectCode res, 200 + localAuth = res.body.auth.local + expect(localAuth.hashed_password).to.not.exist + expect(localAuth.salt).to.not.exist + done() + + it 'removes apiToken from user object', (done) -> + request.get(baseURL + '/user') + .end (err, res) -> + expectCode res, 200 + expect(res.body.apiToken).to.not.exist + done() diff --git a/website/src/controllers/user.js b/website/src/controllers/user.js index 89ea68ef7b..4e261ec3d8 100644 --- a/website/src/controllers/user.js +++ b/website/src/controllers/user.js @@ -204,9 +204,9 @@ api.getUser = function(req, res, next) { user.stats.maxHealth = shared.maxHealth; user.stats.maxMP = res.locals.user._statsComputed.maxMP; delete user.apiToken; - if (user.auth) { - delete user.auth.hashed_password; - delete user.auth.salt; + if (user.auth && user.auth.local) { + delete user.auth.local.hashed_password; + delete user.auth.local.salt; } return res.json(200, user); };