Security lack on signin error render

[camfou]

Hi,

connect/routes/signin.js

Line 66 in 325f639

params: qs.stringify(req.body),

In case of authenticator.dispatch error or missing user, we put the entire body as query string in the render attributes. Then in the signin.jade template we use it to create URLs

connect/views/signin.jade

Line 44 in 325f639

a(href='/connect/' + provider + '?' + params, title=providerInfo[provider].name, class='provider protocol-' + providerInfo[provider].protocol + ' '+ provider)

In this case the password could appears in the URL. Even if SSL encrypt the qs, I don't think it's a good idea to keep the password after usage (referer leakage, browser history, proxy logs ...)!

Regards,
Camille