So I've gotten Passport to work with Node.js and MongoDB for session management which of course conveniently provides access to the user object in the request header. However, at least for me, Passport sets this object to be the entire account document from MongoDB. For the schema I've created, this includes everything about the user - email, name, hashed and salted password etc. So I have two questions about this.
First of all, is it really secure to send all that info back and forth between server and client over and over again? Sure it's sent over SSL and the password is hashed and salted - but all the user info is still in there. Should my schema demand user info (personal info not needed for authentication) be kept in a different MongoDB document? Even if I did that, the hashed password would still be passed back and forth. Is it assumed that SSL prevents that data from being eavesdropped? It just seems that if someone hypothetically managed to suck up every header sent to my app, they could just recreate the user database and perform a rainbow table attack.
Second of all, on the server side, I've (naively?) been using the request header username element (req.user.username) to determine which user is connected and authenticated. But, it seems that if a user just changed their header to be a different username, my code would allow them to masquerade as a different user. So should I be verifying the identity of the request by another means, instead of just using the plaintext username available? Or am I completely off the mark as to how these headers are stored, generated, and passed, and this isn't actually a security issue? If so - can someone elaborate a bit on how these headers from Passport are actually created?
For your first question, no, it is not ok to send everything (including password hash) to the user, that would beat its purpose and as you said and very well, once you someone had the hash, would be much easier to do a brute force attack (you don't that data to be exfiltrated from your app)
As for the second question, you should have some middleware or plugin that validates that the cookie present on the request is actually valid and generated by you in the first place, it is ok to use req.user.username for Authorization purposes in route handles once you validated that the user has previously Authenticated in your system (through the cookie)
Be sure to check out this blog post on how to build secure express apps https://blog.liftsecurity.io/2012/12/07/writing-secure-express-js-apps but in case you are still considering which framework to use, I would take a look at Hapijs and its bell plugin for authentication and https://github.com/hapijs/hapi-auth-cookie to keep session.
Good luck! :)