0

Background: Using MEAN stack to build a web app, I am still learning.

The Issue: I find the following confusing. Say I have a user logged in (I am using Passport.js). From Angular I can retrieve it querying my Node.js server. What I am doing now is something similar to:

app.get('/userLogged',function(req,res){
     res.json({req.user});
});

This does not sound safe to me. I might be a novice, but I have seen this in many tutorials. With a console.log in the browser I can print all the info about the user, including the hashed password. My guess is that I should send a minimal set of information to the browser, filtering out the rest.

My Question: is this safe at all, or I am just leaving the door open to hackers?

k88074
  • 2,042
  • 5
  • 29
  • 43
  • You're dead on. The only data that should be sent out is what's absolutely required. Sending excess data is never a good practice, especially if you aren't 110% sure there are zero XSS vulnerabilities in your entire site. – CollinD Sep 26 '15 at 17:56

1 Answers1

0

Take a look at the concept of ViewModel. It represents the data you want to share publicly with an external user of the system.

What can be achieved in your case, is implementing the right view model out of the data model you store internally. A simplistic example illustrating this concept would be to create a view model for your user object that will pick the data you would like to send back :

// This function will return a different version
// of the `user` object having only a `name`
// and an `email` attribute.
var makeViewModel = function (user) {
  return _.pick(user, ['name', 'email']);
}

You will then be able to construct the right view model on demand :

app.get('/user',function (req,res){
     res.json(makeViewModel(req.user));
});
Halim Qarroum
  • 13,985
  • 4
  • 46
  • 71