From ea35b242da316e75928a0a6d336378ea50f4d6f8 Mon Sep 17 00:00:00 2001
From: eug-vs <eug-vs@keemail.me>
Date: Mon, 22 Jun 2020 19:08:35 +0300
Subject: fix: protect password field in ALL calls

---
 services/users/users.hooks.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'services/users/users.hooks.ts')

diff --git a/services/users/users.hooks.ts b/services/users/users.hooks.ts
index fc17ed7..580d1d2 100644
--- a/services/users/users.hooks.ts
+++ b/services/users/users.hooks.ts
@@ -1,7 +1,14 @@
 import { hooks } from '@feathersjs/authentication-local';
+import { HookContext } from '@feathersjs/feathers';
 
 const hashPassword = hooks.hashPassword('password');
-const protectPassword = hooks.protect('password');
+
+const protectPassword = async (context: HookContext): Promise<HookContext> => {
+  const { dispatch } = hooks.protect('password')(context);
+  context.result = dispatch;
+  context.dispatch = dispatch;
+  return context;
+}
 
 export default {
   after: {
-- 
cgit v1.2.3


From ef94c648b14bd09bf28b8f47ed015b319aa8f0cc Mon Sep 17 00:00:00 2001
From: eug-vs <eug-vs@keemail.me>
Date: Mon, 22 Jun 2020 21:09:14 +0300
Subject: fix: protect only local 'get' queries

---
 services/users/users.hooks.ts | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'services/users/users.hooks.ts')

diff --git a/services/users/users.hooks.ts b/services/users/users.hooks.ts
index 580d1d2..8eecca3 100644
--- a/services/users/users.hooks.ts
+++ b/services/users/users.hooks.ts
@@ -3,16 +3,15 @@ import { HookContext } from '@feathersjs/feathers';
 
 const hashPassword = hooks.hashPassword('password');
 
-const protectPassword = async (context: HookContext): Promise<HookContext> => {
-  const { dispatch } = hooks.protect('password')(context);
-  context.result = dispatch;
-  context.dispatch = dispatch;
+const localDispatch = async (context: HookContext): Promise<HookContext> => {
+  context.result = context.dispatch;
   return context;
 }
 
 export default {
   after: {
-    all: [protectPassword]
+    all: [hooks.protect('password')],
+    get: [localDispatch] // Protect password from local get's
   },
   before: {
     create: [hashPassword],
-- 
cgit v1.2.3