Which user info is safe to expose on the client side? #18
-
|
Hey :) Thanks for this great library. I've been looking for a solution like this to SK authentication for a while now. I don't know too much about authentication, so bear with me. Is it safe to be exposing
I understand that the password being hashed makes it safe, but should that info be available anyway? Is it a matter of how I wrote my adapter that this is what is returned for the user? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
|
Can you tell me where that screenshot is from, and how the data is stored in Mongoose? Adapters only return what's stored in the database and The object returned from get functions should be : type DatabaseUser<UserData extends {}> = {
id: string;
hashed_password: string;
identifier_token: string;
} & UserData;So for example: {
id: "abcdefg",
hashed_password: "hashed_123456789",
identifier_token: "email:[email protected]",
email: "[email protected]",
username: "user"
} |
Beta Was this translation helpful? Give feedback.
-
|
I got this info by console logging This is the User data schema for mongoose: export const Users = mongoose.model<DatabaseUser>(
"Users",
new mongoose.Schema({
id: { type: String, unique: true },
hashed_password: String,
identifier_token: { type: String, unique: true },
user_data: { type: Object, default: {} },
}),
'users'
) |
Beta Was this translation helpful? Give feedback.
-
|
I'll test it on my side, give me a moment |
Beta Was this translation helpful? Give feedback.
-
|
Looking at the screenshot, it looks like the adapter is returning {
doc: {
id: "abcdefg",
hashed_password: "hashed_123456789",
identifier_token: "email:[email protected]",
email: "[email protected]",
username: "user",
},
}; |
Beta Was this translation helpful? Give feedback.
-
|
So I've fixed the schema and the createUser adapter function: createUser: async (id, data) => {
const { hashed_password, identifier_token, user_data } = data
const user = new Users({
id,
hashed_password,
identifier_token,
...user_data,
})
await user.save()
},export const Users = mongoose.model<DatabaseUser>(
"Users",
new mongoose.Schema({
id: { type: String, unique: true },
hashed_password: String,
identifier_token: { type: String, unique: true },
}, { strict: false }),
'users'
)And now when I log |
Beta Was this translation helpful? Give feedback.
-
|
Scratch that, the hashed_password still gets logged.. |
Beta Was this translation helpful? Give feedback.
Can you tell me where that screenshot is from, and how the data is stored in Mongoose? Adapters only return what's stored in the database and
lucia-sveltekitpicks what's needed from it.hashed_passwordshould be returned from adapters but should not be passed onto the client.The object returned from get functions should be :
So for example: