From 59992b4ac8df7a16b941bed035c110a2e239c97e Mon Sep 17 00:00:00 2001
From: Alex Holliday <ajhollid@gmail.com>
Date: Wed, 3 Jul 2024 11:59:24 -0700
Subject: [PATCH 1/2] Remove profileImage from returned user

---
 Server/db/MongoDB.js | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/Server/db/MongoDB.js b/Server/db/MongoDB.js
index 1dc26ce2c..ab2d626f4 100644
--- a/Server/db/MongoDB.js
+++ b/Server/db/MongoDB.js
@@ -42,7 +42,9 @@ const insertUser = async (req, res) => {
     }
     const newUser = new UserModel(userData);
     await newUser.save();
-    return await UserModel.findOne({ _id: newUser._id }).select("-password"); // .select() doesn't work with create, need to save then find
+    return await UserModel.findOne({ _id: newUser._id })
+      .select("-password")
+      .select("-profileImage"); // .select() doesn't work with create, need to save then find
   } catch (error) {
     if (error.code === DUPLICATE_KEY_CODE) {
       throw new Error(errorMessages.DB_USER_EXISTS);
@@ -65,8 +67,10 @@ const insertUser = async (req, res) => {
 const getUserByEmail = async (req, res) => {
   try {
     // Need the password to be able to compare, removed .select()
-    // We can strip the hash before returing the user
-    const user = await UserModel.findOne({ email: req.body.email });
+    // PW hash is removed in controller
+    const user = await UserModel.findOne({ email: req.body.email }).select(
+      "-profileImage"
+    );
     if (user) {
       return user;
     } else {
@@ -102,7 +106,9 @@ const updateUser = async (req, res) => {
       candidateUserId,
       candidateUser,
       { new: true } // Returns updated user instead of pre-update user
-    ).select("-password");
+    )
+      .select("-password")
+      .select("-profileImage");
     return updatedUser;
   } catch (error) {
     throw error;

From f97aa1ca8ca095d321930d782a4fbf24b904e4c3 Mon Sep 17 00:00:00 2001
From: Alex Holliday <ajhollid@gmail.com>
Date: Wed, 3 Jul 2024 12:20:30 -0700
Subject: [PATCH 2/2] Return user and Token instead of decoding token.  Added
 transform to not store image in redux store

---
 Client/src/Features/Auth/authSlice.js |  6 ++----
 Client/src/store.js                   | 14 +++++++++++++-
 Server/controllers/authController.js  | 10 +++++++---
 Server/db/MongoDB.js                  | 14 ++++----------
 4 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/Client/src/Features/Auth/authSlice.js b/Client/src/Features/Auth/authSlice.js
index ef41c1b46..5358d7f4d 100644
--- a/Client/src/Features/Auth/authSlice.js
+++ b/Client/src/Features/Auth/authSlice.js
@@ -67,10 +67,8 @@ const handleAuthFulfilled = (state, action) => {
   state.isLoading = false;
   state.success = action.payload.success;
   state.msg = action.payload.msg;
-  state.authToken = action.payload.data;
-  const decodedToken = jwtDecode(action.payload.data);
-  const user = { ...decodedToken };
-  state.user = user;
+  state.authToken = action.payload.data.token;
+  state.user = action.payload.data.user;
 };
 const handleAuthRejected = (state, action) => {
   state.isLoading = false;
diff --git a/Client/src/store.js b/Client/src/store.js
index 54201761e..ebb6a325b 100644
--- a/Client/src/store.js
+++ b/Client/src/store.js
@@ -2,12 +2,24 @@ import { configureStore, combineReducers } from "@reduxjs/toolkit";
 import monitorsReducer from "./Features/Monitors/monitorsSlice";
 import authReducer from "./Features/Auth/authSlice";
 import storage from "redux-persist/lib/storage";
-import { persistReducer, persistStore } from "redux-persist";
+import { persistReducer, persistStore, createTransform } from "redux-persist";
+
+const authTransform = createTransform(
+  (inboundState) => {
+    const { profileImage, ...rest } = inboundState;
+    return rest;
+  },
+  // No transformation on rehydration
+  null,
+  // Only applies to auth
+  { whitelist: ["auth"] }
+);
 
 const persistConfig = {
   key: "root",
   storage,
   whitielist: ["auth", "monitors"],
+  transforms: [authTransform],
 };
 
 const rootReducer = combineReducers({
diff --git a/Server/controllers/authController.js b/Server/controllers/authController.js
index bbf676e8a..0e05853b6 100644
--- a/Server/controllers/authController.js
+++ b/Server/controllers/authController.js
@@ -55,7 +55,11 @@ const registerController = async (req, res, next) => {
       service: SERVICE_NAME,
       userId: newUser._id,
     });
-    const token = issueToken(newUser._doc);
+
+    const userForToken = { ...newUser._doc };
+    delete userForToken.profileImage;
+
+    const token = issueToken(userForToken);
 
     // Sending email to user with pre defined template
     const template = registerTemplate("https://www.bluewavelabs.ca");
@@ -69,7 +73,7 @@ const registerController = async (req, res, next) => {
     return res.status(200).json({
       success: true,
       msg: successMessages.AUTH_CREATE_USER,
-      data: token,
+      data: { user: newUser, token: token },
     });
   } catch (error) {
     error.service = SERVICE_NAME;
@@ -108,7 +112,7 @@ const loginController = async (req, res, next) => {
     return res.status(200).json({
       success: true,
       msg: successMessages.AUTH_LOGIN_USER,
-      data: token,
+      data: { user: userWithoutPassword, token: token },
     });
   } catch (error) {
     error.status = 500;
diff --git a/Server/db/MongoDB.js b/Server/db/MongoDB.js
index ab2d626f4..1dc26ce2c 100644
--- a/Server/db/MongoDB.js
+++ b/Server/db/MongoDB.js
@@ -42,9 +42,7 @@ const insertUser = async (req, res) => {
     }
     const newUser = new UserModel(userData);
     await newUser.save();
-    return await UserModel.findOne({ _id: newUser._id })
-      .select("-password")
-      .select("-profileImage"); // .select() doesn't work with create, need to save then find
+    return await UserModel.findOne({ _id: newUser._id }).select("-password"); // .select() doesn't work with create, need to save then find
   } catch (error) {
     if (error.code === DUPLICATE_KEY_CODE) {
       throw new Error(errorMessages.DB_USER_EXISTS);
@@ -67,10 +65,8 @@ const insertUser = async (req, res) => {
 const getUserByEmail = async (req, res) => {
   try {
     // Need the password to be able to compare, removed .select()
-    // PW hash is removed in controller
-    const user = await UserModel.findOne({ email: req.body.email }).select(
-      "-profileImage"
-    );
+    // We can strip the hash before returing the user
+    const user = await UserModel.findOne({ email: req.body.email });
     if (user) {
       return user;
     } else {
@@ -106,9 +102,7 @@ const updateUser = async (req, res) => {
       candidateUserId,
       candidateUser,
       { new: true } // Returns updated user instead of pre-update user
-    )
-      .select("-password")
-      .select("-profileImage");
+    ).select("-password");
     return updatedUser;
   } catch (error) {
     throw error;