From 2f65987ba2aafa2a0463fc33c83d9e9324ef792e Mon Sep 17 00:00:00 2001
From: Richard Hansen <rhansen@rhansen.org>
Date: Sat, 24 Oct 2020 20:47:03 -0400
Subject: [PATCH] webaccess: Remove user's password from session info

This prevents the password from being logged or stored in the
database.
---
 src/node/hooks/express/webaccess.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/node/hooks/express/webaccess.js b/src/node/hooks/express/webaccess.js
index ce9571d3..f527ce22 100644
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@@ -1,3 +1,5 @@
+/* global Buffer, exports, require, setTimeout */
+
 const assert = require('assert').strict;
 const log4js = require('log4js');
 const httpLogger = log4js.getLogger('http');
@@ -168,7 +170,10 @@ exports.checkAccess = (req, res, next) => {
           }));
         }
         settings.users[ctx.username].username = ctx.username;
-        req.session.user = settings.users[ctx.username];
+        // Make a shallow copy so that the password property can be deleted (to prevent it from
+        // appearing in logs or in the database) without breaking future authentication attempts.
+        req.session.user = {...settings.users[ctx.username]};
+        delete req.session.user.password;
       }
       if (req.session.user == null) {
         httpLogger.error('authenticate hook failed to add user settings to session');