farcasclaudiu/Flowise
1
0
Fork 0
mirror of https://github.com/farcasclaudiu/Flowise.git synced 2026-06-22 07:01:07 +03:00
Code Issues Packages Projects Releases Wiki Activity

Secure password reset endpoints (#5167)

Browse Source 
fix: prevent sensitive data exposure in password reset
This commit is contained in:
Ong Chung Yau
2025-09-04 18:14:11 +08:00
committed by GitHub
parent 2ab20f71d9
commit 9e178d6887
3 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/server/src/enterprise/services/account.service.ts
+3 -2
View File
@@ -25,6 +25,7 @@ import { RoleErrorMessage, RoleService } from './role.service'
import { UserErrorMessage, UserService } from './user.service'
import { WorkspaceUserErrorMessage, WorkspaceUserService } from './workspace-user.service'
import { WorkspaceErrorMessage, WorkspaceService } from './workspace.service'
import { sanitizeUser } from '../../utils/sanitize.util'
type AccountDTO = {
user: Partial<User>
@@ -540,7 +541,7 @@ export class AccountService {
await queryRunner.release()
}
return data
return sanitizeUser(data.user)
}
public async resetPassword(data: AccountDTO) {
@@ -582,7 +583,7 @@ export class AccountService {
await queryRunner.release()
}
return data
return sanitizeUser(data.user)
}
public async logout(user: LoggedInUser) {
packages/server/src/enterprise/services/user.service.ts
+2 -1
View File
@@ -9,6 +9,7 @@ import { DataSource, QueryRunner } from 'typeorm'
import { generateId } from '../../utils'
import { GeneralErrorMessage } from '../../utils/constants'
import { getHash } from '../utils/encryption.util'
import { sanitizeUser } from '../../utils/sanitize.util'
export const enum UserErrorMessage {
EXPIRED_TEMP_TOKEN = 'Expired Temporary Token',
@@ -174,6 +175,6 @@ export class UserService {
if (queryRunner && !queryRunner.isReleased) await queryRunner.release()
}
return updatedUser
return sanitizeUser(updatedUser)
}
}
packages/server/src/utils/sanitize.util.ts
+10
View File
@@ -1,3 +1,5 @@
import { User } from '../enterprise/database/entities/user.entity'
export function sanitizeNullBytes(obj: any): any {
const stack = [obj]
@@ -30,3 +32,11 @@ export function sanitizeNullBytes(obj: any): any {
return obj
}
export function sanitizeUser(user: Partial<User>) {
delete user.credential
delete user.tempToken
delete user.tokenExpiry
return user
}