Narrows down what can be saved when signing up (#1236)

2024-12-26 10:35:04 +03:00 · 2023-06-07 14:23:27 +02:00 · 2023-06-07 14:23:27 +02:00 · e2ba85153b
commit e2ba85153b
parent ec307d0a3d
4 changed files with 22 additions and 5 deletions
--- a/waspc/ChangeLog.md
+++ b/waspc/ChangeLog.md
@ -1,5 +1,10 @@
 # Changelog

+## v0.10.7
+
+### Breaking changes
+- Wasp's signup action now saves only the fields relevant to the auth process to the database. This prevents users from injecting arbitrary data into the database.
+
 ## v0.10.6

 ### Bug fixes
--- a/waspc/data/Generator/templates/server/src/auth/providers/email/signup.ts
+++ b/waspc/data/Generator/templates/server/src/auth/providers/email/signup.ts
@ -42,7 +42,10 @@ export function getSignupRoute({
            await deleteUser(existingUser);
        }
    
-        const user = await createUser(userFields);
+        const user = await createUser({
+            email: userFields.email,
+            password: userFields.password,
+        });

        const verificationLink = await createEmailVerificationLink(user, clientRoute);
        try {
--- a/waspc/data/Generator/templates/server/src/auth/providers/local/signup.ts
+++ b/waspc/data/Generator/templates/server/src/auth/providers/local/signup.ts
@ -5,7 +5,10 @@ import { createUser } from '../../utils.js'
 export default handleRejection(async (req, res) => {
  const userFields = req.body || {}

-  await createUser(userFields)
+  await createUser({
+    username: userFields.username,
+    password: userFields.password,
+  })

  return res.json({ success: true })
 })
--- a/web/docs/language/features.md
+++ b/web/docs/language/features.md
@ -1144,11 +1144,18 @@ Login is a regular action and can be used directly from the frontend.

 #### `signup()`
 An action for signing up the user. This action does not log in the user, you still need to call `login()`.
+
 ```js
 signup(userFields)
 ```
 #### `userFields: object`
-Fields of user entity which was declared in `auth`.
+Auth-related fields (either `username` or `email` and `password`) of the user entity which was declared in `auth`.
+
+:::info
+Wasp only stores the auth-related fields of the user entity. Adding extra fields to `userFields` will not have any effect.
+
+If you need to add extra fields to the user entity, we suggest doing it in a separate step after the user logs in for the first time.
+:::

 #### `import statement`:
 ```js
@ -1156,7 +1163,6 @@ import signup from '@wasp/auth/signup.js'
 ```
 Signup is a regular action and can be used directly from the frontend.

-
 #### `logout()`
 An action for logging out the user.
 ```js
@ -1169,7 +1175,7 @@ import logout from '@wasp/auth/logout.js'
 ```

 ##### Example of usage:
-```js
+```jsx
 import logout from '@wasp/auth/logout.js'

 const SignOut = () => {