From e2ba85153b59f1d45f02256c1bba1b0106dd53b1 Mon Sep 17 00:00:00 2001 From: Mihovil Ilakovac Date: Wed, 7 Jun 2023 14:23:27 +0200 Subject: [PATCH] Narrows down what can be saved when signing up (#1236) --- waspc/ChangeLog.md | 5 +++++ .../server/src/auth/providers/email/signup.ts | 5 ++++- .../server/src/auth/providers/local/signup.ts | 5 ++++- web/docs/language/features.md | 12 +++++++++--- 4 files changed, 22 insertions(+), 5 deletions(-) diff --git a/waspc/ChangeLog.md b/waspc/ChangeLog.md index 53eb2a050..fd198733c 100644 --- a/waspc/ChangeLog.md +++ b/waspc/ChangeLog.md @@ -1,5 +1,10 @@ # Changelog +## v0.10.7 + +### Breaking changes +- Wasp's signup action now saves only the fields relevant to the auth process to the database. This prevents users from injecting arbitrary data into the database. + ## v0.10.6 ### Bug fixes diff --git a/waspc/data/Generator/templates/server/src/auth/providers/email/signup.ts b/waspc/data/Generator/templates/server/src/auth/providers/email/signup.ts index be4994d53..290e9f3a8 100644 --- a/waspc/data/Generator/templates/server/src/auth/providers/email/signup.ts +++ b/waspc/data/Generator/templates/server/src/auth/providers/email/signup.ts @@ -42,7 +42,10 @@ export function getSignupRoute({ await deleteUser(existingUser); } - const user = await createUser(userFields); + const user = await createUser({ + email: userFields.email, + password: userFields.password, + }); const verificationLink = await createEmailVerificationLink(user, clientRoute); try { diff --git a/waspc/data/Generator/templates/server/src/auth/providers/local/signup.ts b/waspc/data/Generator/templates/server/src/auth/providers/local/signup.ts index 797e8b6f2..f1381a371 100644 --- a/waspc/data/Generator/templates/server/src/auth/providers/local/signup.ts +++ b/waspc/data/Generator/templates/server/src/auth/providers/local/signup.ts @@ -5,7 +5,10 @@ import { createUser } from '../../utils.js' export default handleRejection(async (req, res) => { const userFields = req.body || {} - await createUser(userFields) + await createUser({ + username: userFields.username, + password: userFields.password, + }) return res.json({ success: true }) }) diff --git a/web/docs/language/features.md b/web/docs/language/features.md index 995253929..cade40051 100644 --- a/web/docs/language/features.md +++ b/web/docs/language/features.md @@ -1144,11 +1144,18 @@ Login is a regular action and can be used directly from the frontend. #### `signup()` An action for signing up the user. This action does not log in the user, you still need to call `login()`. + ```js signup(userFields) ``` #### `userFields: object` -Fields of user entity which was declared in `auth`. +Auth-related fields (either `username` or `email` and `password`) of the user entity which was declared in `auth`. + +:::info +Wasp only stores the auth-related fields of the user entity. Adding extra fields to `userFields` will not have any effect. + +If you need to add extra fields to the user entity, we suggest doing it in a separate step after the user logs in for the first time. +::: #### `import statement`: ```js @@ -1156,7 +1163,6 @@ import signup from '@wasp/auth/signup.js' ``` Signup is a regular action and can be used directly from the frontend. - #### `logout()` An action for logging out the user. ```js @@ -1169,7 +1175,7 @@ import logout from '@wasp/auth/logout.js' ``` ##### Example of usage: -```js +```jsx import logout from '@wasp/auth/logout.js' const SignOut = () => {