Should `ctx.state.user` contains `password`?
fancyoung opened this issue · 1 comments
When I use koa-passwort
with passport-local
,
user database info such as password
are in ctx.state.user
.
What's ctx.state.user
used for ?
Should I wrap(remove password
) it before pass to frontend, or I made some mistake ?
passport-local
usually puts puts the username and password into req.user
. koa
has ctx.state
for custom data, which is why the object is put into ctx.state.user
instead.
What's
ctx.state.user
used for ?
Should I wrap(removepassword
) it before pass to frontend, or I made some mistake ?
Yes, you should definitely not return the password to the frontend (and also don't have it as plain text available in the database object). I think most passport-local
usages serialize and deserialize the user by its ID (and not the whole object), see e.g. https://github.com/rkusa/koa-passport-example/blob/master/auth.js#L11-L13).