0

I'm currently creating a Node app with Express and Passport and using this middleware in my main server.js file:

// Function to protect urls
function isProtected(req, res, next) {
    if (req.isAuthenticated()) {
        // User is logged in
        res.locals.user = req.user;
        return next();
    }

    // User is not logged in. Redirect to login.
    res.redirect('login');
}

app.use('/protected_path', isProtected, protectedRouter);

My questions targets this line:

res.locals.user = req.user;

The user object is passed to res.locals so it can be used to populate fields like name, user role, date of registration, ...

Is there a way a user/website/api program (like Postman) can access the "res.locals" variables? There may be some sensitive data inside the req.user object and I just want to use the "res.locals" to get data which will be rendered in views like the profile page.

I could just pass the necessary variables into res.locals but this can get quite messy.

My last approach was to 'blacklist' the unnecessary variables described here: SO: How to omit specific properties from an object in JavaScript

Can the user access res.locals variables and therefore would it be security relevant? I would prefer my current solution if not.

Dominik
  • 35
  • 6

1 Answers1

1

No, they cannot access res.locals unless you give them to them yourself in a view or in some other way. Some details can be found in the documentation.

Rustam D9RS
  • 3,236
  • 1
  • 10
  • 17
  • Thank you very much! Just to clarify this for me: if I render a page like ```res.render('index', { user: res.locals.user });``` I can access the user from my view (index) and display his name etc. but the user (person) itself has no access to the user variable? – Dominik Jun 18 '20 at 11:31
  • 1
    Yes, of course, no one except the server has access to this data. – Rustam D9RS Jun 18 '20 at 12:33
  • Great! Thank you for the explanation. – Dominik Jun 18 '20 at 13:36