SessionStore: replace password with PASSWORD_HIDDEN when storing in db

Fixes #3421.
2026-05-11 07:06:26 +02:00 · 2020-03-29 09:35:20 +00:00 · 2020-03-29 09:35:20 +00:00 · 53f126082a
commit 53f126082a
parent 3e8b426847
1 changed files with 5 additions and 0 deletions
--- a/src/node/db/SessionStore.js
+++ b/src/node/db/SessionStore.js
@ -38,6 +38,11 @@ SessionStore.prototype.get = function(sid, fn) {
 SessionStore.prototype.set = function(sid, sess, fn) {
  messageLogger.debug('SET ' + sid);

+  // don't store passwords in DB
+  if (sess.user && sess.user.password) {
+    sess.user.password = "PASSWORD_HIDDEN";
+  }
+
  db.set("sessionstorage:" + sid, sess);
  if (fn) {
    process.nextTick(fn);