🧑‍💻 refactor: Secure Field Selection for 2FA & API Build Sourcemap (#9087)

* refactor: `packages/api` build scripts for better inline debugging * refactor: Explicitly select secure fields as no longer returned by default, exclude backupCodes from user data retrieval in authentication and 2FA processes * refactor: Backup Codes UI to not expect backup codes, only regeneration * refactor: Ensure secure fields are deleted from user data in getUserController
2025-12-17 08:50:15 +01:00 · 2025-08-15 18:55:49 -04:00 · 2025-08-15 18:55:49 -04:00 · 3547873bc4
commit 3547873bc4
parent 50b7bd6643
15 changed files with 82 additions and 31 deletions
--- a/api/server/controllers/auth/TwoFactorAuthController.js
+++ b/api/server/controllers/auth/TwoFactorAuthController.js
@ -22,10 +22,11 @@ const verify2FAWithTempToken = async (req, res) => {
    try {
      payload = jwt.verify(tempToken, process.env.JWT_SECRET);
    } catch (err) {
+      logger.error('Failed to verify temporary token:', err);
      return res.status(401).json({ message: 'Invalid or expired temporary token' });
    }

-    const user = await getUserById(payload.userId);
+    const user = await getUserById(payload.userId, '+totpSecret +backupCodes');
    if (!user || !user.twoFactorEnabled) {
      return res.status(400).json({ message: '2FA is not enabled for this user' });
    }
@ -42,11 +43,11 @@ const verify2FAWithTempToken = async (req, res) => {
      return res.status(401).json({ message: 'Invalid 2FA code or backup code' });
    }

-    // Prepare user data to return (omit sensitive fields).
    const userData = user.toObject ? user.toObject() : { ...user };
-    delete userData.password;
    delete userData.__v;
+    delete userData.password;
    delete userData.totpSecret;
+    delete userData.backupCodes;
    userData.id = user._id.toString();

    const authToken = await setAuthTokens(user._id, res);