Exclude user's own password from /me endpoint (#20735)

4 years ago · 4ec6e41c83
parent dce9364be9
commit 4ec6e41c83
2 changed files with 3 additions and 1 deletions
--- a/app/api/server/v1/misc.js
+++ b/app/api/server/v1/misc.js
@ -49,7 +49,8 @@ API.v1.addRoute('info', { authRequired: false }, {

 API.v1.addRoute('me', { authRequired: true }, {
 	get() {
-		return API.v1.success(this.getUserInfo(Users.findOneById(this.userId, { fields: getDefaultUserFields() })));
+		const { 'services.password.bcrypt': password, ...fields } = getDefaultUserFields();
+		return API.v1.success(this.getUserInfo(Users.findOneById(this.userId, { fields })));
 	},
 });

--- a/tests/end-to-end/api/00-miscellaneous.js
+++ b/tests/end-to-end/api/00-miscellaneous.js
@ -155,6 +155,7 @@ describe('miscellaneous', function() {
 				expect(res.body).to.have.nested.property('emails[0].address', adminEmail);
 				expect(res.body).to.have.nested.property('settings.preferences').and.to.be.an('object');
 				expect(res.body.settings.preferences).to.have.all.keys(allUserPreferencesKeys);
+				expect(res.body.services).to.not.have.property('password');
 			})
 			.end(done);
 	});