From 008585e97b787ca366c6b857ebd30e96c200638c Mon Sep 17 00:00:00 2001
From: John Furrow <johnf@mesosphere.io>
Date: Sat, 25 Feb 2017 20:19:51 -0800
Subject: [PATCH] Remove auth failure reasons and password from JWT

---
 server/routes/auth.js | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/server/routes/auth.js b/server/routes/auth.js
index a14bc242..d61b0825 100644
--- a/server/routes/auth.js
+++ b/server/routes/auth.js
@@ -10,6 +10,8 @@ let config = require('../../config');
 let router = express.Router();
 let Users = require('../models/Users');
 
+const failedLoginResponse = 'Failed login.';
+
 router.post('/authenticate', (req, res) => {
   let credentials = {
     password: req.body.password,
@@ -18,7 +20,8 @@ router.post('/authenticate', (req, res) => {
 
   Users.comparePassword(credentials, (isMatch, err) => {
     if (isMatch == null) {
-      return res.status(401).json({message: 'You entered an incorrect username.'});
+      // Incorrect username.
+      return res.status(401).json({message: failedLoginResponse});
     }
 
     if (isMatch && !err) {
@@ -26,14 +29,20 @@ router.post('/authenticate', (req, res) => {
       let cookieExpiration = Date.now() + expirationSeconds * 1000;
 
       // Create token if the password matched and no error was thrown.
-      let token = jwt.sign(credentials, config.secret, {
+      let token = jwt.sign({username: credentials.username}, config.secret, {
         expiresIn: expirationSeconds
       });
 
-      res.cookie('jwt', token, {expires: new Date(cookieExpiration), httpOnly: true});
+      res.cookie(
+        'jwt',
+        token,
+        {expires: new Date(cookieExpiration), httpOnly: true}
+      );
+
       return res.json({success: true, token: `JWT ${token}`});
     } else {
-      return res.status(401).json({message: 'You entered an incorrect password.'});
+      // Incorrect password.
+      return res.status(401).json({message: failedLoginResponse});
     }
   });
 });
@@ -42,7 +51,10 @@ router.post('/authenticate', (req, res) => {
 router.use('/register', (req, res, next) => {
   Users.initialUserGate({
     handleInitialUser: next.bind(this),
-    handleSubsequentUser: passport.authenticate('jwt', {session: false}).bind(this, req, res, next)
+    handleSubsequentUser: passport.authenticate(
+      'jwt',
+      {session: false}
+    ).bind(this, req, res, next)
   });
 });
 
@@ -63,7 +75,10 @@ router.use('/verify', (req, res, next) => {
     },
     handleSubsequentUser: () => {
       req.initialUser = false;
-      passport.authenticate('jwt', {session: false}).call(this, req, res, next);
+      passport.authenticate(
+        'jwt',
+        {session: false}
+      ).call(this, req, res, next);
     }
   });
 });
@@ -73,7 +88,10 @@ router.get('/verify', (req, res, next) => {
 });
 
 // All subsequent routes are protected.
-router.use('/', passport.authenticate('jwt', {session: false}));
+router.use(
+  '/',
+  passport.authenticate('jwt', {session: false})
+);
 
 router.get('/users', (req, res, next) => {
   Users.listUsers(ajaxUtil.getResponseFn(res));