libretic/etherpad-lite
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

webaccess: Remove user's password from session info

Browse source 
This prevents the password from being logged or stored in the
database.
This commit is contained in:
Richard Hansen 2020-10-24 20:47:03 -04:00 committed by John McLear
parent 30b1273853
commit 2f65987ba2
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/node/hooks/express/webaccess.js
View file

@ -1,3 +1,5 @@
/* global Buffer, exports, require, setTimeout */
const assert = require('assert').strict;
const log4js = require('log4js');
const httpLogger = log4js.getLogger('http');
@ -168,7 +170,10 @@ exports.checkAccess = (req, res, next) => {
}));
}
settings.users[ctx.username].username = ctx.username;
req.session.user = settings.users[ctx.username];
// Make a shallow copy so that the password property can be deleted (to prevent it from
// appearing in logs or in the database) without breaking future authentication attempts.
req.session.user = {...settings.users[ctx.username]};
delete req.session.user.password;
}
if (req.session.user == null) {
httpLogger.error('authenticate hook failed to add user settings to session');