Patches _email_verify_token exposed in /login

spec/ParseUser.spec.js

@@ -3038,7 +3038,7 @@ describe('Parse.User testing', () => {
     });
   });
 
-  it('should not retrieve hidden fields', done => {
+  it('should not retrieve hidden fields on GET users/me (#3432)', done => {
 
     var emailAdapter = {
       sendVerificationEmail: () => {},
@@ -3073,6 +3073,34 @@ describe('Parse.User testing', () => {
       expect(res.emailVerified).toBe(false);
       expect(res._email_verify_token).toBeUndefined();
       done()
+    }).catch((err) => {
+      fail(JSON.stringify(err));
+      done();
+    });
+  });
+
+  it('should not retrieve hidden fields on GET users/id (#3432)', done => {
+
+    var emailAdapter = {
+      sendVerificationEmail: () => {},
+      sendPasswordResetEmail: () => Promise.resolve(),
+      sendMail: () => Promise.resolve()
+    }
+
+    const user = new Parse.User();
+    user.set({
+      username: 'hello',
+      password: 'world',
+      email: "[email protected]"
+    })
+
+    reconfigureServer({
+      appName: 'unused',
+      verifyUserEmails: true,
+      emailAdapter: emailAdapter,
+      publicServerURL: "http://localhost:8378/1"
+    }).then(() => {
+      return user.signUp();
     }).then(() => rp({
       method: 'GET',
       url: 'http://localhost:8378/1/users/' + Parse.User.current().id,
@@ -3091,6 +3119,45 @@ describe('Parse.User testing', () => {
     });
   });
 
+  it('should not retrieve hidden fields on login (#3432)', done => {
+
+    var emailAdapter = {
+      sendVerificationEmail: () => {},
+      sendPasswordResetEmail: () => Promise.resolve(),
+      sendMail: () => Promise.resolve()
+    }
+
+    const user = new Parse.User();
+    user.set({
+      username: 'hello',
+      password: 'world',
+      email: "[email protected]"
+    })
+
+    reconfigureServer({
+      appName: 'unused',
+      verifyUserEmails: true,
+      emailAdapter: emailAdapter,
+      publicServerURL: "http://localhost:8378/1"
+    }).then(() => {
+      return user.signUp();
+    }).then(() => rp.get({
+      url: 'http://localhost:8378/1/[email protected]&username=hello&password=world',
+      json: true,
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-REST-API-Key': 'rest'
+      },
+    })).then((res) => {
+      expect(res.emailVerified).toBe(false);
+      expect(res._email_verify_token).toBeUndefined();
+      done();
+    }).catch((err) => {
+      fail(JSON.stringify(err));
+      done();
+    });
+  });
+
   it('should not allow updates to hidden fields', done => {
     var emailAdapter = {
       sendVerificationEmail: () => {},

src/Routers/UsersRouter.js

@@ -16,6 +16,21 @@ export class UsersRouter extends ClassesRouter {
     return '_User';
   }
 
+  /**
+   * Removes all "_" prefixed properties from an object, except "__type"
+   * @param {Object} obj An object.
+   */
+  static removeHiddenProperties (obj) {
+    for (var key in obj) {
+      if (obj.hasOwnProperty(key)) {
+        // Regexp comes from Parse.Object.prototype.validate
+        if (key !== "__type" && !(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) {
+          delete obj[key];
+        }
+      }
+    }
+  }
+
   handleMe(req) {
     if (!req.info || !req.info.sessionToken) {
       throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
@@ -35,14 +50,7 @@ export class UsersRouter extends ClassesRouter {
           user.sessionToken = sessionToken;
 
           // Remove hidden properties.
-          for (var key in user) {
-            if (user.hasOwnProperty(key)) {
-              // Regexp comes from Parse.Object.prototype.validate
-              if (key !== "__type" && !(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) {
-                delete user[key];
-              }
-            }
-          }
+          UsersRouter.removeHiddenProperties(user);
 
           return { response: user };
         }
@@ -125,6 +133,9 @@ export class UsersRouter extends ClassesRouter {
         user.sessionToken = token;
         delete user.password;
 
+        // Remove hidden properties.
+        UsersRouter.removeHiddenProperties(user);
+
         // Sometimes the authData still has null on that keys
         // https://github.com/parse-community/parse-server/issues/935
         if (user.authData) {