refactor(auth): update user registration and activation responses for security

- Modified the registerUser and activate functions to return a success status instead of user data, enhancing security by not exposing sensitive information. - Improved error handling in the registration process, including user cleanup on failure and clearer error messages for email-related issues. - Ensured that activation emails are sent without returning user details, maintaining user privacy.
2026-02-04 11:21:55 +01:00
parent 673a3afbb5
commit 503ff90dfa
2 changed files with 36 additions and 10 deletions
--- a/backend/controllers/authController.js
+++ b/backend/controllers/authController.js
@@ -1,13 +1,11 @@
 import { register, activateUser, login, logout } from '../services/authService.js';
-import jwt from 'jsonwebtoken';
-import UserToken from '../models/UserToken.js';
-import User from '../models/User.js'; // ggf. Pfad anpassen

 const registerUser = async (req, res, next) => {
  try {
    const { email, password } = req.body;
-    const user = await register(email, password);
-    res.status(201).json(user);
+    await register(email, password);
+    // Aus Sicherheitsgründen KEINE Userdaten (Passwort-Hash, Aktivierungscode, ...) zurückgeben
+    res.status(201).json({ success: true });
  } catch (error) {
    next(error);
  }
@@ -16,8 +14,9 @@ const registerUser = async (req, res, next) => {
 const activate = async (req, res, next) => {
  try {
    const { activationCode } = req.params;
-    const user = await activateUser(activationCode);
-    res.status(200).json(user);
+    await activateUser(activationCode);
+    // Auch bei Aktivierung kein komplettes User-Objekt zurückgeben
+    res.status(200).json({ success: true });
  } catch (error) {
    next(error);
  }