From 7c6e8dce0858bb4b5349dbcb1adcc279dfb5f401 Mon Sep 17 00:00:00 2001 From: fahed Date: Wed, 4 Mar 2026 12:33:36 +0300 Subject: [PATCH] =?UTF-8?q?fix:=20use=20nocodb.get()=20after=20list()=20fo?= =?UTF-8?q?r=20auth=20=E2=80=94=20list=20may=20omit=20fields?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NocoDB list endpoint doesn't always return all fields (e.g. password_hash). Use list() to find by email/token, then get() to fetch the full record with all fields. Co-Authored-By: Claude Opus 4.6 --- server/server.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/server/server.js b/server/server.js index bdf85d0..2d26df9 100644 --- a/server/server.js +++ b/server/server.js @@ -620,7 +620,10 @@ app.post('/api/auth/login', async (req, res) => { try { const users = await nocodb.list('Users', { where: `(email,eq,${sanitizeWhereValue(email)})`, limit: 1 }); - const user = users[0]; + if (users.length === 0) return res.status(401).json({ error: 'Invalid email or password' }); + + // nocodb.list() may not return all fields — fetch full record + const user = await nocodb.get('Users', users[0].Id); if (!user || !user.password_hash) return res.status(401).json({ error: 'Invalid email or password' }); const valid = await bcrypt.compare(password, user.password_hash); @@ -709,7 +712,8 @@ app.post('/api/auth/reset-password', async (req, res) => { const users = await nocodb.list('Users', { where: `(reset_token,eq,${tokenHash})`, limit: 1 }); if (users.length === 0) return res.status(400).json({ error: 'Invalid or expired reset token' }); - const user = users[0]; + // nocodb.list() may not return all fields — fetch full record + const user = await nocodb.get('Users', users[0].Id); if (!user.reset_token_expires || new Date(user.reset_token_expires) < new Date()) { return res.status(400).json({ error: 'Invalid or expired reset token' }); }