From a78178ec47038b582f53a9f625d35a357c7b3293 Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Tue, 14 Sep 2021 10:36:14 -0700
Subject: [PATCH] redact password immediately after verify

---
 src/routes/profile.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/routes/profile.js b/src/routes/profile.js
index ee38e4ddc..5d1144670 100644
--- a/src/routes/profile.js
+++ b/src/routes/profile.js
@@ -70,6 +70,8 @@ async function update(req, res, next) {
 
         const [verifyError] = await safe(users.verify(req.user.id, req.body.password, users.AP_WEBADMIN));
         if (verifyError) return next(BoxError.toHttpError(verifyError));
+
+        req.body.password = '<redacted>'; // this will prevent logs from displaying plain text password
     }
 
     const [error] = await safe(users.update(req.user, data, auditSource.fromRequest(req)));