torsten/miriamgemeinde
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Entferne Debug-Logging aus der SMTP-Konfiguration und schütze sensible Benutzerdaten in den Benutzer-Controller-Methoden. Füge sichere Rückgaben ohne Passwörter hinzu und verbessere die Fehlerprotokollierung für Benutzeroperationen.

Browse Source
This commit is contained in:
Torsten Schulz (local)
2025-09-24 09:18:08 +02:00
parent 23ba880286
commit 36e5b05e39
2 changed files with 49 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
config/email.js
View File

@@ -12,19 +12,6 @@ const smtpConfig = {
}; };
// Debug-Logging der SMTP-Konfiguration // Debug-Logging der SMTP-Konfiguration
console.log('=== SMTP CONFIGURATION DEBUG ===');
console.log('Host:', smtpConfig.host);
console.log('Port:', smtpConfig.port);
console.log('Secure:', smtpConfig.secure);
console.log('User:', smtpConfig.auth.user);
console.log('Pass:', smtpConfig.auth.pass.replace(/./g, '*')); // Passwort maskieren
console.log('Environment Variables:');
console.log(' SMTP_HOST:', process.env.SMTP_HOST || 'undefined');
console.log(' SMTP_PORT:', process.env.SMTP_PORT || 'undefined');
console.log(' SMTP_USER:', process.env.SMTP_USER || 'undefined');
console.log(' SMTP_PASS:', process.env.SMTP_PASS ? '***' : 'undefined');
console.log('================================');
const transporter = nodemailer.createTransport(smtpConfig); const transporter = nodemailer.createTransport(smtpConfig);
// E-Mail-Template für Passwort-Reset // E-Mail-Template für Passwort-Reset

54
controllers/userController.js
View File

@@ -2,22 +2,29 @@ const { User } = require('../models');
exports.getAllUsers = async (req, res) => { exports.getAllUsers = async (req, res) => {
try { try {
const users = await User.findAll({order: [['name', 'ASC']]}); const users = await User.findAll({
order: [['name', 'ASC']],
attributes: ['id', 'name', 'email', 'active', 'created_at'] // Passwort ausschließen
});
res.status(200).json(users); res.status(200).json(users);
} catch (error) { } catch (error) {
console.error('Error fetching users:', error);
res.status(500).json({ message: 'Error fetching users' }); res.status(500).json({ message: 'Error fetching users' });
} }
}; };
exports.getUserById = async (req, res) => { exports.getUserById = async (req, res) => {
try { try {
const user = await User.findByPk(req.params.id); const user = await User.findByPk(req.params.id, {
attributes: ['id', 'name', 'email', 'active', 'created_at'] // Passwort ausschließen
});
if (user) { if (user) {
res.status(200).json(user); res.status(200).json(user);
} else { } else {
res.status(404).json({ message: 'User not found' }); res.status(404).json({ message: 'User not found' });
} }
} catch (error) { } catch (error) {
console.error('Error fetching user:', error);
res.status(500).json({ message: 'Error fetching user' }); res.status(500).json({ message: 'Error fetching user' });
} }
}; };
@@ -25,8 +32,19 @@ exports.getUserById = async (req, res) => {
exports.createUser = async (req, res) => { exports.createUser = async (req, res) => {
try { try {
const user = await User.create(req.body); const user = await User.create(req.body);
res.status(201).json(user);
// Sichere User-Daten zurückgeben (ohne Passwort)
const safeUser = {
id: user.id,
name: user.name,
email: user.email,
active: user.active,
created_at: user.created_at
};
res.status(201).json(safeUser);
} catch (error) { } catch (error) {
console.error('Error creating user:', error);
res.status(500).json({ message: 'Error creating user' }); res.status(500).json({ message: 'Error creating user' });
} }
}; };
@@ -35,12 +53,37 @@ exports.updateUser = async (req, res) => {
try { try {
const user = await User.findByPk(req.params.id); const user = await User.findByPk(req.params.id);
if (user) { if (user) {
await user.update(req.body); // Erstelle eine Kopie der Request-Daten ohne sensible Felder
res.status(200).json(user); const updateData = { ...req.body };
// Entferne sensible Felder, die niemals über diese Route geändert werden dürfen
delete updateData.password;
delete updateData.id;
delete updateData.created_at;
// Setze updated_at auf aktuelle Zeit
updateData.updated_at = new Date();
// Logging für Debugging
console.log('Updating user:', req.params.id, 'with data:', updateData);
await user.update(updateData);
// Sichere User-Daten zurückgeben (ohne Passwort)
const safeUser = {
id: user.id,
name: user.name,
email: user.email,
active: user.active,
created_at: user.created_at
};
res.status(200).json(safeUser);
} else { } else {
res.status(404).json({ message: 'User not found' }); res.status(404).json({ message: 'User not found' });
} }
} catch (error) { } catch (error) {
console.error('Error updating user:', error);
res.status(500).json({ message: 'Error updating user' }); res.status(500).json({ message: 'Error updating user' });
} }
}; };
@@ -55,6 +98,7 @@ exports.deleteUser = async (req, res) => {
res.status(404).json({ message: 'User not found' }); res.status(404).json({ message: 'User not found' });
} }
} catch (error) { } catch (error) {
console.error('Error deleting user:', error);
res.status(500).json({ message: 'Error deleting user' }); res.status(500).json({ message: 'Error deleting user' });
} }
}; };