When Deserializing a User in Passport is there any reason not to remove Secrets?

I am using the passport-local passport strategy, but in general I have a few questions (sorry for the length). They might be very novice questions so I apologize in advance, but please criticize every aspect of my question and code for security purposes. I want to follow the principle of least privilege, so I was wondering if I should remove certain secret properties from the user when I deserialize them in passport. For example my user has the hash, salt, and iterations properties whose values I don’t want to accidentally leak to the frontend.

If you’re unfamiliar with passport it puts user data on the request object on the server. When using anything with Connect middlewares (I’m using Express) this request object is passed through multiple request handlers/middlewares until eventually one of them sends a response to the client. The deserialize user method is what provides passport with a way to deserialize the user from it’s serialized state (which in the below example the serialized state is the id).

  1. First question, what would be the major advantages or disadvantages if I deserialize my user without these properties (namely the hash, salt, and iterations) in the deserialize user properties before allowing the user to be put onto the server-side request object (i.e. request.user)?

For example instead of this:

passport.deserializeUser(async function(id, done) {   try {     const users = await sqlFetch`SELECT * From users WHERE id = $  {id}`;     const user = users[0];     done(null, user);   } catch (err) {     done(err, null);   } }); 

I could do this:

passport.deserializeUser(async function(id, done) {   try {     const users = await sqlFetch`SELECT username, email, id, isAdmin From users WHERE id = $  {id}`;     const user = users[0];     done(null, user);   } catch (err) {     done(err, null);   } }); 

That way I do not ever accidentally leak the hash, salt, and iterations to the client.

If I want to prevent sending the hash, salt, and iterations with a deserialized user while answering no to question 1 I would probably do it at the time I send the webpage to the client like the example here:

router.get("/", (req, res) => {   res.render("index", {     user: req.user && {       id: req.user.id,       email: req.user.email,       displayName: req.user.displayName,       isAdmin: req.user.isAdmin     },   }); }); 

Given that there are tons of routes that would do this it just seems like something might go wrong at one point. So, I could use middleware on specific routers so that every router.get, router.post, etc. that comes after it will not have the full user:

router.use(function (req, res, next) {   req.user = req.user && {     id: req.user.id,     email: req.user.email,     displayName: req.user.displayName,     isAdmin: req.user.isAdmin   };   next(); })  router.get("/", (req, res) => {   res.render("index", {     user: req.user,   }); }); 
  1. I have an assumption that is heavily tied to making me want to say yes to question one; that assumption is that the hash, salt, and iterations never needs to be used by the server past authentication and authorization therefore I would never need to use the full user object outside of passport (e.g. outside as in when using request.user to access the user later), and therefore according to principle of least privilege I shouldn’t use the full user elsewhere. Is this assumption correct?

  2. Also, to go along with 2. I think if I don’t send the user along with the request through my route handlers then I wouldn’t be as vulnerable to shared memory vulnerabilities (I usually host my apps on the cloud, so I assume this should be a concern.) is that a valid concern and assumption?

  3. Say instead the secrets were an API token. The difference with this is I need it to be authorized to an external API at some point in a request cycle. For the same reasons as above (i.e. least privilege, shared memory vulnerabilities) should I grab the users tokens at the start of the request and probably go the middleware route where I don’t allow access outside my API routes, or should I only fetch this API token from the DB (which is an extra database call) when I need it maybe with it’s own middleware (but only on my API routers’ routes)? One other option for API tokens that I’ve heard of is to encrypt the API token in the db and decrypt at time of use? Do any of those last 3 options for API tokens have major advantages or disadvantages over the others?

Do the Israeli consulates give visa on a separate piece of paper instead of on the passport?

I am a Bangladeshi citizen studying in Columbia University. I wanted to go to Israel for a trip this winter. But Bangladesh still does not recognize Israel as a state and the front page of the passport states that This passport is valid for all the countries in the world except Israel.

I applied for a visa in the Israeli consulate here in NYC. I have just received the confirmation of visa from the Israeli consulate in NYC. I have heard that Israel do not give the visa on the passport. Instead they paste it on a separate piece of paper, and make like a travel permit and they also do not stamp the passport/or any ID during immigration. Is that true? And would I get in trouble entering Bangladesh if I do get a visa on my passport?

I do not have any other passport/nationalities.

Traveling from UK (London) to USA via Dublin, 6 month passport expiry query

I just have a quick question/confirmation regarding the 6 month expiry rule.

I am travelling from the UK to the USA on 2nd of Sept to 17th Sept 2019.

My passport is set to expire 09 March 2020, so the 6 month range will occur mid-holiday.

As far as I can see on the USA and Ireland websites, the 6 month rule does not apply to UK citizens:

Ireland – https://www.gov.uk/foreign-travel-advice/ireland/entry-requirements

If you’re using a passport to enter Ireland, it should be valid for the proposed duration of your stay; you don’t need any additional period of validity on your passport beyond this.

USA – https://uk.usembassy.gov/visas/non-immigrant-visa-faqs/passport-and-travel-documents/

For certain nationalities, the passport or other travel document must be valid for at least six months beyond the proposed stay in the United States. The six-month requirement does not apply to United Kingdom passports.

I tried contacting my airline to confirm that I should be fine as is, but they just replied with the following:

[Airline] is required to comply with all government passport and visa requirements. It is your responsibility to ensure you are permitted to enter or transit all countries on your itinerary. While we cannot strictly advise you on individual requirements, you can check requirements by visiting the IATA Travel Centre at https://iatatravelcentre.com.

I also ran my details through the IATA website and that all turns up green, but I’m just hoping someone can give further confirmation that I should be fine as is?

I’d rather afford paying out the nose for express passport and ticket modifications if possible.


Dual USA and UK travelling to USA for funeral – expired USA passport

I’m travelling to the USA on Monday for a sudden and unplanned funeral. I have just realised that my USA Passport is expired- only just (June 15 2019). I do have my UK Passport which is in date and valid but I am unsure of what might happen if I travel into USA on UK. I ca obviously arrange to fill an ESTA and I also have a valid USA Driving license. What do you recommend? Should I just chance it and travel in as a UK citizen?