webaccess: Remove user's password from session info

This prevents the password from being logged or stored in the database.
2020-10-24 20:47:03 -04:00 · 2020-10-24 20:47:03 -04:00 · 2f65987ba2
parent 30b1273853
commit 2f65987ba2
1 changed files with 6 additions and 1 deletions
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@ -1,3 +1,5 @@
+/* global Buffer, exports, require, setTimeout */
+
 const assert = require('assert').strict;
 const log4js = require('log4js');
 const httpLogger = log4js.getLogger('http');
@ -168,7 +170,10 @@ exports.checkAccess = (req, res, next) => {
          }));
        }
        settings.users[ctx.username].username = ctx.username;
-        req.session.user = settings.users[ctx.username];
+        // Make a shallow copy so that the password property can be deleted (to prevent it from
+        // appearing in logs or in the database) without breaking future authentication attempts.
+        req.session.user = {...settings.users[ctx.username]};
+        delete req.session.user.password;
      }
      if (req.session.user == null) {
        httpLogger.error('authenticate hook failed to add user settings to session');