feat: filter out API details from user object #6588
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sebastianwzq
approved these changes
Aug 8, 2023
tshuli
reviewed
Aug 9, 2023
There was a problem hiding this comment.
thanks @wanlingt! as an alternative to updating each query to de-select apiToken, would you like to consider setting select:false at the schema level? This should ensure that apiToken is not returned by default in all queries (in case someone forgets to deselect next time)😅
see https://mongoosejs.com/docs/2.7.x/docs/schematypes.html
select: {Boolean} - Specifies default path selection behavior. In other words, you can specify if this path should be included or excluded from query results by default.
that is awesome, thanks for the suggestion @tshuli ! I've added it to the user model in f2b8dc2 |
tshuli
approved these changes
Aug 10, 2023
done! c773b37 |
This was referenced Aug 15, 2023
Closed
Closed
Merged
wanlingt
added a commit
that referenced
this pull request
Aug 16, 2023
* fix(deps): bump libphonenumber-js from 1.10.38 to 1.10.39 in /shared (#6594) Bumps [libphonenumber-js](https://gitlab.com/catamphetamine/libphonenumber-js) from 1.10.38 to 1.10.39. - [Changelog](https://gitlab.com/catamphetamine/libphonenumber-js/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/catamphetamine/libphonenumber-js/compare/v1.10.38...v1.10.39) --- updated-dependencies: - dependency-name: libphonenumber-js dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: remove customMin and customMax virtuals (#6596) Removed from number field and text field schemas * chore: remove angular deps (#6602) * fix(deps): bump validator from 13.9.0 to 13.11.0 in /shared (#6605) Bumps [validator](https://github.com/validatorjs/validator.js) from 13.9.0 to 13.11.0. - [Release notes](https://github.com/validatorjs/validator.js/releases) - [Changelog](https://github.com/validatorjs/validator.js/blob/master/CHANGELOG.md) - [Commits](validatorjs/validator.js@13.9.0...13.11.0) --- updated-dependencies: - dependency-name: validator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: update feature section of README (#6603) * docs: update feature section of README * docs: remove E2E wording for encryption * fix(deps): bump import-in-the-middle from 1.3.4 to 1.4.2 (#6609) Bumps [import-in-the-middle](https://github.com/DataDog/import-in-the-middle) from 1.3.4 to 1.4.2. - [Release notes](https://github.com/DataDog/import-in-the-middle/releases) - [Commits](nodejs/import-in-the-middle@v1.3.4...v1.4.2) --- updated-dependencies: - dependency-name: import-in-the-middle dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(deps): bump type-fest from 4.1.0 to 4.2.0 in /shared (#6610) Bumps [type-fest](https://github.com/sindresorhus/type-fest) from 4.1.0 to 4.2.0. - [Release notes](https://github.com/sindresorhus/type-fest/releases) - [Commits](sindresorhus/type-fest@v4.1.0...v4.2.0) --- updated-dependencies: - dependency-name: type-fest dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @types/lodash from 4.14.196 to 4.14.197 in /shared (#6612) Bumps [@types/lodash](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/lodash) from 4.14.196 to 4.14.197. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/lodash) --- updated-dependencies: - dependency-name: "@types/lodash" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: filter out API details from user object (#6588) * feat: restrict user fields to email and agency * feat: remove apiToken property from populated user * test: return correct admin properties in tests * feat: remove apiToken from user queries * feat: filter out apiToken in user model * test: revert changes made to tests * fix: remove line breaks * fix: refine mongoose setup * test: add check for apiToken property * chore: Added react dev inspector (#6611) * added react dev inspector * moved react dev inspector to dev dependency * changed command to trigger inspector * fix(deps): bump libphonenumber-js from 1.10.39 to 1.10.40 in /shared (#6614) Bumps [libphonenumber-js](https://gitlab.com/catamphetamine/libphonenumber-js) from 1.10.39 to 1.10.40. - [Changelog](https://gitlab.com/catamphetamine/libphonenumber-js/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/catamphetamine/libphonenumber-js/compare/v1.10.39...v1.10.40) --- updated-dependencies: - dependency-name: libphonenumber-js dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(deps): bump libphonenumber-js from 1.10.40 to 1.10.41 in /shared (#6616) Bumps [libphonenumber-js](https://gitlab.com/catamphetamine/libphonenumber-js) from 1.10.40 to 1.10.41. - [Changelog](https://gitlab.com/catamphetamine/libphonenumber-js/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/catamphetamine/libphonenumber-js/compare/v1.10.40...v1.10.41) --- updated-dependencies: - dependency-name: libphonenumber-js dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: payment by products (#6301) * wip * refactor: move admin payments components to PaymentPanel folder * add AddProductModal and basic item creation flow * add BE payments product * wip * refactor admin payment products input * fix version not passed to BE * add _id to be exposed in product model, refactor product types * wip add responder payment * feat: add price calculation * add clear variant for SingleSelect * add ProductItem Quantity display * add full width variant for checkbox * refactor typing, add submit action to pass payment products * add missing field id constant * add registering of payment products into form context * refactor: extract stripe events fn to stripe.events.controller * refactor: break submission controller into its payment/non-payment creation handlers * refactor: extract checks into ensure pipelines * fix: remove duplicate PaymentItemDetailBlock * fix: next() to be awaited * refactor: extract price calculation to shared, rename ensuresIsX to ensureX * fix: hide payment items block for v2, update preview to render using version specific * refactor: submitEncryptModeForm * refactor: FieldListDrawer with mapped header+component * feat: add edit product * feat: changed ProductModal min/max qty input to hide when multiqty is disabled * fix: clicking PaymentPreview should redirect to their respective version of payment tab * fix: paymentpreview to update with latest products when paymentstore changes * feat: add product deletion flow for admin * fix: Payment v2 description, refactor PaymetnItemDetailsBlock * refactor: cleanup #1 * fix: edit mode multi_qty to reference incoming value, fix qty range generation * fix: merge conflicts, to render-able state * fix: be to compile-able state * chore: revert unintended changes * wip * fix: remove unnecessary payment checks in handle update payment product * fix(fe): adding products triggering local data replacement * feat: support non-multi selection * fix: quantity selection does not auto select item * chore: remove unused comments * feat: add full width variant on radio component * chore: camelcase checkbox component theme * feat: store purchased products into payment doc * chore: remove unused imports * fix: payment product quantity converted to boolean instead of number * fix: test cases failing due to incorrect object comparison * fix: duplicated code from incorrect merge resolution * chore: update payment page width to match design * feat: expose products to Payment Page * refactor: payment UI * feat: split payments summaries for fixed, variable, and products * feat: add full payment summary for products * fix: typing issues * feat: itemized invoice for payment by products (#6574) * fix: test cases failing due to incorrect object comparison * fix: add products button not disabled when panel is disabled * fix: products payment not showing title on paymentpreview * feat: add product qty validation * fix: remove stray test capture group * feat: show error message if no products are selected (#6585) * feat: add error message if no product is selected * fix: change copy * feat: set default quantity as min qty * feat: use isProductSelected function to check if at least 1 product is selected * fix: use Array.prototype.some() * feat: hide fixed payment type if form is not a fixed payment * fix: addproduct modal not displaying errors * chore: send log all payments info instead of only products * chore: remove unused files * fix: add product not validating if max qty-payment amount exceed global limits * chore: use divider instead of hr * chore: add strong joi validator * chore: update copy for payment qty-payment amount exceed * refactor: change function into class to better express side-effects * refactor: rename productitemschema to productschema * feat: add joi validation for handleupdatepaymentsproduct * chore: fix typo, remove unused comments nits * feat: add payment summary to thank you page (#6591) * feat: add CompletedPaymentSummary * feat: add payment_fields_snapshot to payment model * feat: show products and other payment metadata in thank you page * feat: db migration script for payment_fields_snapshot * fix: rename ProductItemSchema to ProductSchema * fix: use form payment_fields as source of truth in payments model * ref: refactor getProductNames * ref: remove unused code * test: update FormPaymentPage.stories * refactor: paymentproducts to share same joi validator, add validator to encrypt-submission * chore: copy changes, tweak order of payment type dropdown, fix padding when payment is not connected * chore: remove title for payments by product type * feat: add payment preview placeholder when admin has no items * chore: products description to be optional, ui changes on payment preview product item * feat: auto detect disabling multi product toggle * chore: update copy for payment summary * fix: unstuck divider with productitem on paymentpreview * chore: product modal to calculate qty, ui updates * fix: update text colors * fix: expand button to full width for mobile * fix: adjust spacing before recaptcha container * fix: new payment form not defaulting to products * fix: product payment type should not require name field validated * fix: remove mention of gst on product modal if form is not gst enabled * fix: update test cases to reflect new defaults * fix: payment date race condition (#6619) fix: move payment date to be returned together when receipt url exists --------- Co-authored-by: wanlingt <56983748+wanlingt@users.noreply.github.com> Co-authored-by: wanlingt <wanling@open.gov.sg> * fix: supply empty object when snapshot script has not completely migrated (#6622) * chore: bump version to v6.70.0 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Foo Chi Fa <59867455+foochifa@users.noreply.github.com> Co-authored-by: LeonardYam <yamthesmall@gmail.com> Co-authored-by: Justyn Oh <justynoh@gmail.com> Co-authored-by: sebastianwzq <136435307+sebastianwzq@users.noreply.github.com> Co-authored-by: Ken Lee Shu Ming <ken@open.gov.sg>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
The full
userobject, which includes theapiTokenproperty, is returned in multiple queries.Closes FRM-1011
Solution
Add
selectto theapiTokenproperty in the user model to filter outapiTokenfrom any query that returns the fulluserobject(from docs: select: {Boolean} - Specifies default path selection behavior. In other words, you can specify if this path should be included or excluded from query results by default.)
Breaking Changes
Tests
apiTokenproperty ({keyHash: .., createdAt:.., lastUsedAt:.. }). Check that none of the following queries returns theapiTokenproperty with the user object:GET /api/v3/admin/forms- visit admin form dashboard pagePOST /api/v3/auth/otp/verify- log out and log in againGET /api/v3/user- visit admin form dashboard pagePOST /user/contact/otp/verify- verify contact OTP