Merge pull request #31 from osiastedian/bug-001-two-factor-secret-leak

osiastedian · web-flow · commit 62477cd74934 · 2025-10-08T21:46:08.000+08:00
Security: stop returning gAuthSecret in GET /user/verify2fa/:id; only…
diff --git a/controllers/user.js b/controllers/user.js
@@ -247,9 +247,6 @@ const getUser2fa = async (req, res, next) => {
           if (key === 'twoFa' || key === 'gAuth' || key === 'sms') {
             // eslint-disable-next-line no-underscore-dangle
             userData[key] = user._fieldsProto[key].booleanValue
-          } else if (key === 'gAuthSecret') {
-            // eslint-disable-next-line no-underscore-dangle
-            userData[key] = user._fieldsProto[key].stringValue
           }
         }
       }

Original file line number	Diff line number	Diff line change
`@@ -247,9 +247,6 @@ const getUser2fa = async (req, res, next) => {`
`247`	`247`	`if (key === 'twoFa' \|\| key === 'gAuth' \|\| key === 'sms') {`
`248`	`248`	`// eslint-disable-next-line no-underscore-dangle`
`249`	`249`	`userData[key] = user._fieldsProto[key].booleanValue`
`250`		`- } else if (key === 'gAuthSecret') {`
`251`		`- // eslint-disable-next-line no-underscore-dangle`
`252`		`- userData[key] = user._fieldsProto[key].stringValue`
`253`	`250`	`}`
`254`	`251`	`}`
`255`	`252`	`}`