-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: filter out API details from user object #6588
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks @wanlingt! as an alternative to updating each query to de-select apiToken, would you like to consider setting select:false
at the schema level? This should ensure that apiToken is not returned by default in all queries (in case someone forgets to deselect next time)😅
see https://mongoosejs.com/docs/2.7.x/docs/schematypes.html
select: {Boolean} - Specifies default path selection behavior. In other words, you can specify if this path should be included or excluded from query results by default.
that is awesome, thanks for the suggestion @tshuli ! I've added it to the user model in f2b8dc2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm! maybe just add one unit test to check that the select:false property is working property
done! c773b37 |
* fix(deps): bump libphonenumber-js from 1.10.38 to 1.10.39 in /shared (#6594) Bumps [libphonenumber-js](https://gitlab.com/catamphetamine/libphonenumber-js) from 1.10.38 to 1.10.39. - [Changelog](https://gitlab.com/catamphetamine/libphonenumber-js/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/catamphetamine/libphonenumber-js/compare/v1.10.38...v1.10.39) --- updated-dependencies: - dependency-name: libphonenumber-js dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: remove customMin and customMax virtuals (#6596) Removed from number field and text field schemas * chore: remove angular deps (#6602) * fix(deps): bump validator from 13.9.0 to 13.11.0 in /shared (#6605) Bumps [validator](https://github.com/validatorjs/validator.js) from 13.9.0 to 13.11.0. - [Release notes](https://github.com/validatorjs/validator.js/releases) - [Changelog](https://github.com/validatorjs/validator.js/blob/master/CHANGELOG.md) - [Commits](validatorjs/validator.js@13.9.0...13.11.0) --- updated-dependencies: - dependency-name: validator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: update feature section of README (#6603) * docs: update feature section of README * docs: remove E2E wording for encryption * fix(deps): bump import-in-the-middle from 1.3.4 to 1.4.2 (#6609) Bumps [import-in-the-middle](https://github.com/DataDog/import-in-the-middle) from 1.3.4 to 1.4.2. - [Release notes](https://github.com/DataDog/import-in-the-middle/releases) - [Commits](nodejs/import-in-the-middle@v1.3.4...v1.4.2) --- updated-dependencies: - dependency-name: import-in-the-middle dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(deps): bump type-fest from 4.1.0 to 4.2.0 in /shared (#6610) Bumps [type-fest](https://github.com/sindresorhus/type-fest) from 4.1.0 to 4.2.0. - [Release notes](https://github.com/sindresorhus/type-fest/releases) - [Commits](sindresorhus/type-fest@v4.1.0...v4.2.0) --- updated-dependencies: - dependency-name: type-fest dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @types/lodash from 4.14.196 to 4.14.197 in /shared (#6612) Bumps [@types/lodash](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/lodash) from 4.14.196 to 4.14.197. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/lodash) --- updated-dependencies: - dependency-name: "@types/lodash" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: filter out API details from user object (#6588) * feat: restrict user fields to email and agency * feat: remove apiToken property from populated user * test: return correct admin properties in tests * feat: remove apiToken from user queries * feat: filter out apiToken in user model * test: revert changes made to tests * fix: remove line breaks * fix: refine mongoose setup * test: add check for apiToken property * chore: Added react dev inspector (#6611) * added react dev inspector * moved react dev inspector to dev dependency * changed command to trigger inspector * fix(deps): bump libphonenumber-js from 1.10.39 to 1.10.40 in /shared (#6614) Bumps [libphonenumber-js](https://gitlab.com/catamphetamine/libphonenumber-js) from 1.10.39 to 1.10.40. - [Changelog](https://gitlab.com/catamphetamine/libphonenumber-js/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/catamphetamine/libphonenumber-js/compare/v1.10.39...v1.10.40) --- updated-dependencies: - dependency-name: libphonenumber-js dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(deps): bump libphonenumber-js from 1.10.40 to 1.10.41 in /shared (#6616) Bumps [libphonenumber-js](https://gitlab.com/catamphetamine/libphonenumber-js) from 1.10.40 to 1.10.41. - [Changelog](https://gitlab.com/catamphetamine/libphonenumber-js/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/catamphetamine/libphonenumber-js/compare/v1.10.40...v1.10.41) --- updated-dependencies: - dependency-name: libphonenumber-js dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: payment by products (#6301) * wip * refactor: move admin payments components to PaymentPanel folder * add AddProductModal and basic item creation flow * add BE payments product * wip * refactor admin payment products input * fix version not passed to BE * add _id to be exposed in product model, refactor product types * wip add responder payment * feat: add price calculation * add clear variant for SingleSelect * add ProductItem Quantity display * add full width variant for checkbox * refactor typing, add submit action to pass payment products * add missing field id constant * add registering of payment products into form context * refactor: extract stripe events fn to stripe.events.controller * refactor: break submission controller into its payment/non-payment creation handlers * refactor: extract checks into ensure pipelines * fix: remove duplicate PaymentItemDetailBlock * fix: next() to be awaited * refactor: extract price calculation to shared, rename ensuresIsX to ensureX * fix: hide payment items block for v2, update preview to render using version specific * refactor: submitEncryptModeForm * refactor: FieldListDrawer with mapped header+component * feat: add edit product * feat: changed ProductModal min/max qty input to hide when multiqty is disabled * fix: clicking PaymentPreview should redirect to their respective version of payment tab * fix: paymentpreview to update with latest products when paymentstore changes * feat: add product deletion flow for admin * fix: Payment v2 description, refactor PaymetnItemDetailsBlock * refactor: cleanup #1 * fix: edit mode multi_qty to reference incoming value, fix qty range generation * fix: merge conflicts, to render-able state * fix: be to compile-able state * chore: revert unintended changes * wip * fix: remove unnecessary payment checks in handle update payment product * fix(fe): adding products triggering local data replacement * feat: support non-multi selection * fix: quantity selection does not auto select item * chore: remove unused comments * feat: add full width variant on radio component * chore: camelcase checkbox component theme * feat: store purchased products into payment doc * chore: remove unused imports * fix: payment product quantity converted to boolean instead of number * fix: test cases failing due to incorrect object comparison * fix: duplicated code from incorrect merge resolution * chore: update payment page width to match design * feat: expose products to Payment Page * refactor: payment UI * feat: split payments summaries for fixed, variable, and products * feat: add full payment summary for products * fix: typing issues * feat: itemized invoice for payment by products (#6574) * fix: test cases failing due to incorrect object comparison * fix: add products button not disabled when panel is disabled * fix: products payment not showing title on paymentpreview * feat: add product qty validation * fix: remove stray test capture group * feat: show error message if no products are selected (#6585) * feat: add error message if no product is selected * fix: change copy * feat: set default quantity as min qty * feat: use isProductSelected function to check if at least 1 product is selected * fix: use Array.prototype.some() * feat: hide fixed payment type if form is not a fixed payment * fix: addproduct modal not displaying errors * chore: send log all payments info instead of only products * chore: remove unused files * fix: add product not validating if max qty-payment amount exceed global limits * chore: use divider instead of hr * chore: add strong joi validator * chore: update copy for payment qty-payment amount exceed * refactor: change function into class to better express side-effects * refactor: rename productitemschema to productschema * feat: add joi validation for handleupdatepaymentsproduct * chore: fix typo, remove unused comments nits * feat: add payment summary to thank you page (#6591) * feat: add CompletedPaymentSummary * feat: add payment_fields_snapshot to payment model * feat: show products and other payment metadata in thank you page * feat: db migration script for payment_fields_snapshot * fix: rename ProductItemSchema to ProductSchema * fix: use form payment_fields as source of truth in payments model * ref: refactor getProductNames * ref: remove unused code * test: update FormPaymentPage.stories * refactor: paymentproducts to share same joi validator, add validator to encrypt-submission * chore: copy changes, tweak order of payment type dropdown, fix padding when payment is not connected * chore: remove title for payments by product type * feat: add payment preview placeholder when admin has no items * chore: products description to be optional, ui changes on payment preview product item * feat: auto detect disabling multi product toggle * chore: update copy for payment summary * fix: unstuck divider with productitem on paymentpreview * chore: product modal to calculate qty, ui updates * fix: update text colors * fix: expand button to full width for mobile * fix: adjust spacing before recaptcha container * fix: new payment form not defaulting to products * fix: product payment type should not require name field validated * fix: remove mention of gst on product modal if form is not gst enabled * fix: update test cases to reflect new defaults * fix: payment date race condition (#6619) fix: move payment date to be returned together when receipt url exists --------- Co-authored-by: wanlingt <56983748+wanlingt@users.noreply.github.com> Co-authored-by: wanlingt <wanling@open.gov.sg> * fix: supply empty object when snapshot script has not completely migrated (#6622) * chore: bump version to v6.70.0 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Foo Chi Fa <59867455+foochifa@users.noreply.github.com> Co-authored-by: LeonardYam <yamthesmall@gmail.com> Co-authored-by: Justyn Oh <justynoh@gmail.com> Co-authored-by: sebastianwzq <136435307+sebastianwzq@users.noreply.github.com> Co-authored-by: Ken Lee Shu Ming <ken@open.gov.sg>
Problem
The full
user
object, which includes theapiToken
property, is returned in multiple queries.Closes FRM-1011
Solution
Add
select
to theapiToken
property in the user model to filter outapiToken
from any query that returns the fulluser
object(from docs: select: {Boolean} - Specifies default path selection behavior. In other words, you can specify if this path should be included or excluded from query results by default.)
Breaking Changes
Tests
apiToken
property ({keyHash: .., createdAt:.., lastUsedAt:.. }
). Check that none of the following queries returns theapiToken
property with the user object:GET /api/v3/admin/forms
- visit admin form dashboard pagePOST /api/v3/auth/otp/verify
- log out and log in againGET /api/v3/user
- visit admin form dashboard pagePOST /user/contact/otp/verify
- verify contact OTP