How to hide secret information about the user during authorization (password, id)?

W

WhatIsHTML2017-03-09 02:44:22

JavaScript

WhatIsHTML, 2017-03-09 02:44:22

I do authorization by email and password on the server side (Node.JS). All user information is retrieved from the database (MongoDB), including id and password. The password is stored in a hash format, but it still does not need to be sent to the frontend, just like the password.
I thought like this:
- make a separate userPublic object with fields that will go to the client

let dataPublic = {
    name: "",
    email: ""
}
module.exports = dataPublic;

- then, during authorization, copy to this object only those properties that are declared in it, i.e. name, email
Object.assign(dataPublic, dataFromDb);
Problem: all properties are copied to dataPublic , including those that are not declared in it.
Possible solution: You can manually write the function.
Questions:
1.is there a standard method for this?
2. How can I better and more correctly implement what I have in mind?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexey Yarkov, 2017-03-09
@WhatIsHTML

PSEUDOCODE:

User.find({
    email: req.body.email,
    password: User.hashPassword(req.body.password)
}, (err, user) => {
    if(err) {
        return res.status(400).json({error: err});
    }
    if(user) {
        let data = JSON.parse(JSON.stringify(user, ['allow', 'fields', 'in', 'array']));
        return res.status(200).json(data);
    }
});

I

Ivan, 2017-03-09
@LiguidCool

And what for generally something to send to the client? As it were, the client should send data, and then he will be authorized by session.