I use express write a app, I want to implement a variables current_user in global, to ensure whether user logined.So, I add a middleware
app.use(require('./controller/user').auth_user);
in user.js, I define a method called auth_user use res.locals set a global local current_user. And set req.session.user=user.
exports.auth_user = function(req, res, next) {
if (req.session.user) {
res.locals('current_user', req.session.user);
return next();
} else {
var cookie = req.cookies['user_cookie'];
if (!cookie){
res.locals('current_user', "");
return next();
};
var auth_token = decrypt(cookie, 'user_session');
var auth = auth_token.split('\t');
var user_email=auth[3].toLowerCase();
User.findOne({'email': user_email},function(err, result) {
if(err) return next(err);
if (result) {
req.session.user = result;
res.locals('current_user', req.session.user);
return next();
}else{
return next();
}
});
}
};
so, I put a user object to req, and when I debug, I found that can get user.hashed_password from req.I think it's not safe. Can user in browser side get this info?
As long as you do not expose the information anywhere else, this is safe. At least from the perspective that the browser is not able to access the req object.
Anyway, another question is whether it's the best idea to attach the complete user object to the req object if you only need some specific part of it. Why not attach a stripped down version of that object that does not include the hash?
Then your issue is gone anyway, no matter whether the browser would hypothetically be able to access it or not.