Should `ctx.state.user` contains `password`?

Question

Should `ctx.state.user` contains `password`?

fancyoung opened this issue 3 years ago · 1 comments

When I use koa-passwort with passport-local,
user database info such as password are in ctx.state.user.

What's ctx.state.user used for ?
Should I wrap(remove password) it before pass to frontend, or I made some mistake ?

Answer 1 · 2021-09-27T07:39:36.000Z

passport-local usually puts puts the username and password into req.user. koa has ctx.state for custom data, which is why the object is put into ctx.state.user instead.

What's ctx.state.user used for ?
Should I wrap(remove password) it before pass to frontend, or I made some mistake ?

Yes, you should definitely not return the password to the frontend (and also don't have it as plain text available in the database object). I think most passport-local usages serialize and deserialize the user by its ID (and not the whole object), see e.g. https://github.com/rkusa/koa-passport-example/blob/master/auth.js#L11-L13).