implemented security practice to hide password hashes from api responses using excludePassword helper function

Author: Kuzma02

server/controllers/users.js

@@ -2,10 +2,19 @@ const { PrismaClient } = require("@prisma/client");
 const prisma = new PrismaClient();
 const bcrypt = require("bcryptjs");
 
+// Helper function to exclude password from user object
+function excludePassword(user) {
+  if (!user) return user;
+  const { password, ...userWithoutPassword } = user;
+  return userWithoutPassword;
+}
+
 async function getAllUsers(request, response) {
   try {
     const users = await prisma.user.findMany({});
-    return response.json(users);
+    // Exclude password from all users
+    const usersWithoutPasswords = users.map(user => excludePassword(user));
+    return response.json(usersWithoutPasswords);
   } catch (error) {
     return response.status(500).json({ error: "Error fetching users" });
   }
@@ -23,7 +32,8 @@ async function createUser(request, response) {
         role,
       },
     });
-    return response.status(201).json(user);
+    // Exclude password from response
+    return response.status(201).json(excludePassword(user));
   } catch (error) {
     console.error("Error creating user:", error);
     return response.status(500).json({ error: "Error creating user" });
@@ -56,7 +66,8 @@ async function updateUser(request, response) {
       },
     });
 
-    return response.status(200).json(updatedUser);
+    // Exclude password from response
+    return response.status(200).json(excludePassword(updatedUser));
   } catch (error) {
     return response.status(500).json({ error: "Error updating user" });
   }
@@ -87,7 +98,8 @@ async function getUser(request, response) {
   if (!user) {
     return response.status(404).json({ error: "User not found" });
   }
-  return response.status(200).json(user);
+  // Exclude password from response
+  return response.status(200).json(excludePassword(user));
 }
 
 async function getUserByEmail(request, response) {
@@ -100,7 +112,8 @@ async function getUserByEmail(request, response) {
   if (!user) {
     return response.status(404).json({ error: "User not found" });
   }
-  return response.status(200).json(user);
+  // Exclude password from response
+  return response.status(200).json(excludePassword(user));
 }
 
 module.exports = {

server/tests/manual-security-check.js

@@ -0,0 +1,107 @@
+// Quick manual security check for password exposure
+const axios = require('axios');
+
+const API_BASE_URL = 'http://localhost:3001';
+
+async function quickSecurityCheck() {
+  console.log("🔍 Quick Security Check - Testing Password Exposure Prevention\n");
+  
+  try {
+    // 1. Create a test user
+    console.log("1. Creating test user...");
+    const createResponse = await axios.post(`${API_BASE_URL}/api/users`, {
+      email: 'security-test@example.com',
+      password: 'secretpassword123',
+      role: 'user'
+    });
+    
+    console.log("   ✅ User created successfully");
+    console.log("   �� Response data:", JSON.stringify(createResponse.data, null, 2));
+    
+    // Check if password is in response
+    if (createResponse.data.password) {
+      console.log("   ❌ SECURITY ISSUE: Password found in create response!");
+      return;
+    } else {
+      console.log("   ✅ Password correctly excluded from create response");
+    }
+    
+    const userId = createResponse.data.id;
+    
+    // 2. Get the user by ID
+    console.log("\n2. Getting user by ID...");
+    const getResponse = await axios.get(`${API_BASE_URL}/api/users/${userId}`);
+    
+    console.log("   📋 Response data:", JSON.stringify(getResponse.data, null, 2));
+    
+    if (getResponse.data.password) {
+      console.log("   ❌ SECURITY ISSUE: Password found in get response!");
+      return;
+    } else {
+      console.log("   ✅ Password correctly excluded from get response");
+    }
+    
+    // 3. Get user by email
+    console.log("\n3. Getting user by email...");
+    const emailResponse = await axios.get(`${API_BASE_URL}/api/users/email/security-test@example.com`);
+    
+    console.log("   📋 Response data:", JSON.stringify(emailResponse.data, null, 2));
+    
+    if (emailResponse.data.password) {
+      console.log("   ❌ SECURITY ISSUE: Password found in email lookup response!");
+      return;
+    } else {
+      console.log("   ✅ Password correctly excluded from email lookup response");
+    }
+    
+    // 4. Get all users
+    console.log("\n4. Getting all users...");
+    const allUsersResponse = await axios.get(`${API_BASE_URL}/api/users`);
+    
+    console.log(`   📋 Retrieved ${allUsersResponse.data.length} users`);
+    
+    // Check if any user has password field
+    const hasPasswordInAnyUser = allUsersResponse.data.some(user => user.password);
+    if (hasPasswordInAnyUser) {
+      console.log("   ❌ SECURITY ISSUE: Password found in get all users response!");
+      return;
+    } else {
+      console.log("   ✅ Password correctly excluded from all users response");
+    }
+    
+    // 5. Update user
+    console.log("\n5. Updating user...");
+    const updateResponse = await axios.put(`${API_BASE_URL}/api/users/${userId}`, {
+      email: 'updated-security-test@example.com',
+      password: 'newsecretpassword456',
+      role: 'admin'
+    });
+    
+    console.log("   �� Response data:", JSON.stringify(updateResponse.data, null, 2));
+    
+    if (updateResponse.data.password) {
+      console.log("   ❌ SECURITY ISSUE: Password found in update response!");
+      return;
+    } else {
+      console.log("   ✅ Password correctly excluded from update response");
+    }
+    
+    // Clean up
+    console.log("\n6. Cleaning up test user...");
+    await axios.delete(`${API_BASE_URL}/api/users/${userId}`);
+    console.log("   ✅ Test user deleted");
+    
+    console.log("\n🎉 ALL SECURITY CHECKS PASSED!");
+    console.log("🔒 Password fields are correctly excluded from all API responses!");
+    
+  } catch (error) {
+    console.error("❌ Test failed:", error.message);
+    if (error.response) {
+      console.error("   Response status:", error.response.status);
+      console.error("   Response data:", error.response.data);
+    }
+  }
+}
+
+// Run the check
+quickSecurityCheck();

server/tests/run-security-tests.js

@@ -0,0 +1,21 @@
+// Security Test Runner
+const { runUserSecurityTests } = require('./user-security.test');
+
+async function runAllSecurityTests() {
+  console.log("🚀 Starting Security Test Suite...\n");
+  
+  try {
+    await runUserSecurityTests();
+    console.log("\n🎉 All security tests completed successfully!");
+  } catch (error) {
+    console.error("\n❌ Security tests failed:", error.message);
+    process.exit(1);
+  }
+}
+
+// Run tests if this file is executed directly
+if (require.main === module) {
+  runAllSecurityTests();
+}
+
+module.exports = { runAllSecurityTests };