[ad_1]
I’m using some of the NestJS sample repo 19-auth-jwt to implement an authentication system. But I’m facing a bug.
In the provider for the auth module (auth.services.ts), the method validateUser()
uses JS ES6 syntax to remove the password from the user before returning it, as explained in the docs.
async validateUser(username: string, pass: string): Promise<any> {
const user = await this.usersService.findOne(username);
if (user && user.password === pass) {
const { password, ...result } = user;
return result;
}
return null;
}
This is not working for me, result
looks like this:
{
'$__': InternalCache {
activePaths: StateMachine {
paths: [Object],
states: [Object],
stateNames: [Array]
},
skipId: true,
strictMode: true,
selected: {},
fields: {},
exclude: null
},
'$isNew': false,
_doc: {
_id: new ObjectId("6299077a1c8989d6bdc3cb34"),
first_name: 'Test',
email: '[email protected]',
password: '$2b$10$/ndkmG7qLh8RReko7TvsPOC15xd.mVDUY9mC3SVbkVndgZlVDzU4.',
__v: 0
}
}
Not only has it not removed the password but also it is creating a bizarre data structure which means I can’t get the user data which I then need to pass in my JWT without changing the code to access the _doc
.
If I just return user
instead it works (but obviously doesn’t remove the password).
My questions are:
- Why is this happening? My best guess is this is something to do with promises but don’t know.
- Should I be concerned about not removing the password if it is well protected? Note that I’m not actually returning it, this request only returns the JWT which holds the user _id, no more data.
- If it is a concern, what can I do about it?
- Is this a bug or my mistake?
I’m using MongoDB and mongoose as you might be able to tell. I’m new to Nest btw.
Reference to the code line where this is happening.
Thank you!
[ad_2]