GitMetricsLab · anshul23102 · May 27, 2026 · coderabbitai · May 27, 2026
diff --git a/backend/config/passportConfig.js b/backend/config/passportConfig.js
@@ -35,9 +35,12 @@ passport.serializeUser((user, done) => {
 });
 
 // Deserialize user (retrieve user from session)
+// Select only the fields needed for request handling. Excluding password
+// prevents the bcrypt hash from being attached to req.user and accidentally
+// serialized into API responses.
 passport.deserializeUser(async (id, done) => {
     try {
-        const user = await User.findById(id);
+        const user = await User.findById(id).select('-password -__v').lean();
         done(null, user);
     } catch (err) {
         done(err, null);

diff --git a/backend/routes/auth.js b/backend/routes/auth.js
@@ -36,14 +36,23 @@ router.post("/login", validateRequest(loginSchema), passport.authenticate('local
 });
 
 // Logout route
-router.get("/logout", (req, res) => {
+// POST is required here: GET is a safe/idempotent method that browsers trigger
+// automatically (img src, prefetch, etc.), which would allow any third-party
+// page to force-logout authenticated users via a passive CSRF request.
+router.post("/logout", (req, res) => {
 
     req.logout((err) => {
 
         if (err)
             return res.status(500).json({ message: 'Logout failed', error: err.message });
-        else
+
+        req.session.destroy((destroyErr) => {
+            if (destroyErr) {
+                return res.status(500).json({ message: 'Session cleanup failed', error: destroyErr.message });
-        if (err)
-            return res.status(500).json({ message: 'Logout failed', error: err.message });
-        else
-
-        req.session.destroy((destroyErr) => {
-            if (destroyErr) {
-                return res.status(500).json({ message: 'Session cleanup failed', error: destroyErr.message });
+const logger = require("../logger");
+// ... rest of file imports ...
+
+        if (err) {
+            logger.error('Logout failed', err);
+            return res.status(500).json({ message: 'Logout failed' });
+        }
+
+        req.session.destroy((destroyErr) => {
+            if (destroyErr) {
+                logger.error('Session cleanup failed', destroyErr);
+                return res.status(500).json({ message: 'Session cleanup failed' });
-        if (err)
-            return res.status(500).json({ message: 'Logout failed', error: err.message });
-        else
-
-        req.session.destroy((destroyErr) => {
-            if (destroyErr) {
-                return res.status(500).json({ message: 'Session cleanup failed', error: destroyErr.message });
+const logger = require("../logger");
+// ... rest of file imports ...
+
+        if (err) {
+            logger.error('Logout failed', err);
+            return res.status(500).json({ message: 'Logout failed' });
+        }
+
+        req.session.destroy((destroyErr) => {
+            if (destroyErr) {
+                logger.error('Session cleanup failed', destroyErr);
+                return res.status(500).json({ message: 'Session cleanup failed' });
+            }
+            res.clearCookie('connect.sid');
             res.status(200).json({ message: 'Logged out successfully' });
+        });
     });
 });
 

diff --git a/backend/server.js b/backend/server.js
@@ -28,10 +28,18 @@ app.use(cors({
 
 // Middleware
 app.use(bodyParser.json());
+const isProduction = process.env.NODE_ENV === 'production';
+
 app.use(session({
     secret: process.env.SESSION_SECRET,
     resave: false,
     saveUninitialized: false,
+    cookie: {
+        httpOnly: true,
+        secure: isProduction,
+        sameSite: 'strict',
+        maxAge: 24 * 60 * 60 * 1000, // 24 hours
+    },
 }));
 app.use(passport.initialize());
 app.use(passport.session());