Architecture: Login endpoint returns full user object including password hash in JSON response, enables potential hash extraction

[anshul23102]

Problem

Login endpoint returns req.user directly (line 35 of auth.js), which includes password hash and potentially sensitive fields.

---

Technical Details

File: backend/routes/auth.js
Line: 35

res.status(200).json({ message: 'Login successful', user: req.user });

This returns entire user document including password hash.

Risk

• Password hash exposed in response
• If response is logged/cached, hash accessible
• Additional fields may be unintentionally exposed
• Expands attack surface

---

Recommended Solution

Return only safe user fields:

router.post("/login", validateRequest(loginSchema), 
  passport.authenticate('local'), 
  (req, res) => {
    // Extract only safe fields
    const safeUser = {
      id: req.user._id,
      username: req.user.username,
      email: req.user.email,
      // Don't include: password, passwordHash, __v
    };
    
    res.status(200).json({
      message: 'Login successful',
      user: safeUser
    });
  }
);

// Or define a toJSON method in User model
UserSchema.methods.toJSON = function() {
  const obj = this.toObject();
  delete obj.password;  // Exclude password from JSON
  return obj;
};

// Then simpler response
res.status(200).json({
  message: 'Login successful',
  user: req.user.toJSON()
});

---

Testing Strategy

• Test: Password hash not in response
• Test: Only safe fields returned (id, username, email)
• Monitor: Response size appropriate
• Audit: No sensitive fields leaked

---

Program Template

• GSSoC '26

---

Suggested Labels

security, data-exposure, authentication, gssoc-eligible

[anshul23102]

@GitMetricsLab

Contributing under GSSoC '26. This prevents password hash exposure by filtering user responses to include only safe fields.

Request assignment under GSSoC '26. 🛡️