From 1c13c48beea5131690f568ebe782a04106a05125 Mon Sep 17 00:00:00 2001 From: 3onyc <3onyc@x3tech.com> Date: Sun, 16 Aug 2015 17:04:24 +0200 Subject: [PATCH 1/2] Fix removing user salt+hash from API response --- website/src/controllers/user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/src/controllers/user.js b/website/src/controllers/user.js index 949e4cfb7b..b9ad5d3d38 100644 --- a/website/src/controllers/user.js +++ b/website/src/controllers/user.js @@ -208,9 +208,9 @@ api.getUser = function(req, res, next) { user.stats.maxHealth = 50; user.stats.maxMP = res.locals.user._statsComputed.maxMP; delete user.apiToken; - if (user.auth) { - delete user.auth.hashed_password; - delete user.auth.salt; + if (user.auth && user.auth.local) { + delete user.auth.local.hashed_password; + delete user.auth.local.salt; } return res.json(200, user); }; From b2c4d5c012527f813fec2362df5c388206b4eca4 Mon Sep 17 00:00:00 2001 From: Blade Barringer Date: Sat, 22 Aug 2015 17:53:49 -0500 Subject: [PATCH 2/2] Add test for items that are deleted when getting the user --- test/api/get_user.coffee | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 test/api/get_user.coffee diff --git a/test/api/get_user.coffee b/test/api/get_user.coffee new file mode 100644 index 0000000000..530fa398a9 --- /dev/null +++ b/test/api/get_user.coffee @@ -0,0 +1,25 @@ +'use strict' + +require('../../website/src/server') + +describe 'User', -> + + before (done) -> + registerNewUser done, true + + describe 'GET /user', -> + it 'removes password from user object', (done) -> + request.get(baseURL + '/user') + .end (err, res) -> + expectCode res, 200 + localAuth = res.body.auth.local + expect(localAuth.hashed_password).to.not.exist + expect(localAuth.salt).to.not.exist + done() + + it 'removes apiToken from user object', (done) -> + request.get(baseURL + '/user') + .end (err, res) -> + expectCode res, 200 + expect(res.body.apiToken).to.not.exist + done()