From 47145be3b50632078ff6ab8a808211acd682e309 Mon Sep 17 00:00:00 2001
From: bnematzadeh <vicforbounty@gmail.com>
Date: Tue, 5 Nov 2024 14:24:56 -0700
Subject: [PATCH 1/6] Fix Sensitive Data Exposure

---
 server/lib/user/user.get.js       |  2 ++
 server/test/security/user.test.js | 15 +++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 server/test/security/user.test.js

diff --git a/server/lib/user/user.get.js b/server/lib/user/user.get.js
index e99cb844d7..7e1aa0bcab 100644
--- a/server/lib/user/user.get.js
+++ b/server/lib/user/user.get.js
@@ -65,6 +65,8 @@ async function get(options) {
     if (userPlain.picture && userPlain.picture.toString) {
       userPlain.picture = userPlain.picture.toString('utf8');
     }
+    delete userPlain.password;
+    delete userPlain.telegram_user_id;
     return userPlain;
   });
 
diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js
new file mode 100644
index 0000000000..46ef12f3da
--- /dev/null
+++ b/server/test/security/user.test.js
@@ -0,0 +1,15 @@
+const { expect } = require('chai');
+const { request, authenticatedRequest } = require('../controllers/request.test');
+
+describe('/api/v1/user/', () => {
+  it('should return all users with password - regular user', async () => {
+    await authenticatedRequest
+      .get('/api/v1/user?fields=password')
+      .expect('Content-Type', /json/)
+      .expect(200)
+      .then((res)=>{
+        console.log(res.body)
+      })
+   });
+})
+

From 636ce61f6b4b6d059495fa1108447d926a9f4c8e Mon Sep 17 00:00:00 2001
From: Borna Nematzadeh <74822121+bnematzadeh@users.noreply.github.com>
Date: Wed, 6 Nov 2024 00:53:04 -0700
Subject: [PATCH 2/6] Update user.test.js

---
 server/test/security/user.test.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js
index 46ef12f3da..3f652de3fe 100644
--- a/server/test/security/user.test.js
+++ b/server/test/security/user.test.js
@@ -2,13 +2,13 @@ const { expect } = require('chai');
 const { request, authenticatedRequest } = require('../controllers/request.test');
 
 describe('/api/v1/user/', () => {
-  it('should return all users with password - regular user', async () => {
+  it('should return all users without password', async () => {
     await authenticatedRequest
       .get('/api/v1/user?fields=password')
       .expect('Content-Type', /json/)
       .expect(200)
       .then((res)=>{
-        console.log(res.body)
+        expect(res.body).to.not.have.key('password')
       })
    });
 })

From 36ee61ea384a7fe29cf6e5017fcc1b1bb3a115fc Mon Sep 17 00:00:00 2001
From: Borna Nematzadeh <74822121+bnematzadeh@users.noreply.github.com>
Date: Fri, 8 Nov 2024 05:35:33 -0700
Subject: [PATCH 3/6] Update user.test.js

I modified this test and it passed successfully
---
 server/test/security/user.test.js | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js
index 3f652de3fe..e142cbc348 100644
--- a/server/test/security/user.test.js
+++ b/server/test/security/user.test.js
@@ -1,15 +1,17 @@
-const { expect } = require('chai');
-const { request, authenticatedRequest } = require('../controllers/request.test');
+const {
+  expect
+} = require('chai');
+const {
+  request,
+  authenticatedRequest
+} = require('../controllers/request.test');
 
-describe('/api/v1/user/', () => {
-  it('should return all users without password', async () => {
-    await authenticatedRequest
-      .get('/api/v1/user?fields=password')
-      .expect('Content-Type', /json/)
-      .expect(200)
-      .then((res)=>{
-        expect(res.body).to.not.have.key('password')
-      })
-   });
+describe('/api/v1/user/', () = >{
+  it('should return all users without password', async() = >{
+    await authenticatedRequest.get('/api/v1/user?fields=password').expect('Content-Type', /json/).expect(200).then((res) = >{
+      res.body.forEach((user) = >{
+        expect(user).to.not.have.property('password');
+      });
+    })
+  });
 })
-

From 6560f0a4fb02b7bd506ee3dfd334dd36ff5b962c Mon Sep 17 00:00:00 2001
From: Borna Nematzadeh <74822121+bnematzadeh@users.noreply.github.com>
Date: Fri, 8 Nov 2024 05:48:57 -0700
Subject: [PATCH 4/6] Update user.test.js

---
 server/test/security/user.test.js | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js
index e142cbc348..79024c0bee 100644
--- a/server/test/security/user.test.js
+++ b/server/test/security/user.test.js
@@ -1,17 +1,16 @@
-const {
-  expect
-} = require('chai');
-const {
-  request,
-  authenticatedRequest
-} = require('../controllers/request.test');
+const { expect } = require('chai');
+const { request, authenticatedRequest } = require('../controllers/request.test');
 
-describe('/api/v1/user/', () = >{
-  it('should return all users without password', async() = >{
-    await authenticatedRequest.get('/api/v1/user?fields=password').expect('Content-Type', /json/).expect(200).then((res) = >{
-      res.body.forEach((user) = >{
-        expect(user).to.not.have.property('password');
+describe('/api/v1/user/', () => {
+  it('should return all users without password', async () => {
+    await authenticatedRequest
+      .get('/api/v1/user?fields=password')
+      .expect('Content-Type', /json/)
+      .expect(200)
+      .then((res) => {
+        res.body.forEach((user) => {
+          expect(user).to.not.have.property('password');
+        });
       });
-    })
   });
-})
+});

From 759dea67fc8dc2be59c5ccf75016e7d0980ac584 Mon Sep 17 00:00:00 2001
From: bnematzadeh <vicforbounty@gmail.com>
Date: Fri, 8 Nov 2024 06:46:44 -0700
Subject: [PATCH 5/6] Update user.test.js

---
 server/test/security/user.test.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js
index 79024c0bee..a3101e53bf 100644
--- a/server/test/security/user.test.js
+++ b/server/test/security/user.test.js
@@ -1,6 +1,7 @@
 const { expect } = require('chai');
 const { request, authenticatedRequest } = require('../controllers/request.test');
 
+// updated
 describe('/api/v1/user/', () => {
   it('should return all users without password', async () => {
     await authenticatedRequest

From 9b42e71cf82f8ed372aefecc412bb589081071b2 Mon Sep 17 00:00:00 2001
From: bnematzadeh <vicforbounty@gmail.com>
Date: Fri, 8 Nov 2024 07:15:49 -0700
Subject: [PATCH 6/6] Update user.test.js

---
 server/test/security/user.test.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js
index a3101e53bf..3bb9aaa16b 100644
--- a/server/test/security/user.test.js
+++ b/server/test/security/user.test.js
@@ -1,7 +1,6 @@
 const { expect } = require('chai');
-const { request, authenticatedRequest } = require('../controllers/request.test');
+const { authenticatedRequest } = require('../controllers/request.test');
 
-// updated
 describe('/api/v1/user/', () => {
   it('should return all users without password', async () => {
     await authenticatedRequest