feat: hide tokens and password on contact inbox payloads (#10888)

Contact Inbox object contained unnecessary attributes which will be removed under this PR.
2025-02-21 10:52:12 +05:30
parent f3b8777ebf
commit 27f7e0921e
4 changed files with 41 additions and 2 deletions
--- a/app/views/api/v1/accounts/contacts/contactable_inboxes.json.jbuilder
+++ b/app/views/api/v1/accounts/contacts/contactable_inboxes.json.jbuilder
@@ -1,7 +1,7 @@
 json.payload do
  json.array! @contactable_inboxes do |contactable_inbox|
    json.inbox do
-      json.partial! 'api/v1/models/inbox', formats: [:json], resource: contactable_inbox[:inbox]
+      json.partial! 'api/v1/models/inbox_slim', formats: [:json], resource: contactable_inbox[:inbox]
    end
    json.source_id contactable_inbox[:source_id]
  end
--- a/app/views/api/v1/models/_contact_inbox.json.jbuilder
+++ b/app/views/api/v1/models/_contact_inbox.json.jbuilder
@@ -1,4 +1,4 @@
 json.source_id resource.source_id
 json.inbox do
-  json.partial! 'api/v1/models/inbox', formats: [:json], resource: resource.inbox
+  json.partial! 'api/v1/models/inbox_slim', formats: [:json], resource: resource.inbox
 end
--- a/app/views/api/v1/models/_inbox_slim.json.jbuilder
+++ b/app/views/api/v1/models/_inbox_slim.json.jbuilder
@@ -0,0 +1,7 @@
+json.id resource.id
+json.avatar_url resource.try(:avatar_url)
+json.channel_id resource.channel_id
+json.name resource.name
+json.channel_type resource.channel_type
+json.provider resource.channel.try(:provider)
+json.email resource.channel.try(:email) if resource.email?
--- a/spec/controllers/api/v1/accounts/contacts_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/contacts_controller_spec.rb
@@ -67,6 +67,38 @@ RSpec.describe 'Contacts API', type: :request do
        expect(contact_inboxes).to eq([])
      end

+      it 'returns limited information on inboxes' do
+        get "/api/v1/accounts/#{account.id}/contacts?include_contact_inboxes=true",
+            headers: admin.create_new_auth_token,
+            as: :json
+
+        expect(response).to have_http_status(:success)
+        response_body = response.parsed_body
+
+        contact_emails = response_body['payload'].pluck('email')
+        contact_inboxes = response_body['payload'].pluck('contact_inboxes').flatten.compact
+        expect(contact_emails).to include(contact.email)
+        first_inbox = contact_inboxes[0]['inbox']
+        expect(first_inbox).to be_a(Hash)
+        expect(first_inbox).to include('id', 'channel_id', 'channel_type', 'name', 'avatar_url', 'provider')
+
+        expect(first_inbox).not_to include('imap_login',
+                                           'imap_password',
+                                           'imap_address',
+                                           'imap_port',
+                                           'imap_enabled',
+                                           'imap_enable_ssl')
+
+        expect(first_inbox).not_to include('smtp_login',
+                                           'smtp_password',
+                                           'smtp_address',
+                                           'smtp_port',
+                                           'smtp_enabled',
+                                           'smtp_domain')
+
+        expect(first_inbox).not_to include('hmac_token', 'provider_config')
+      end
+
      it 'returns all contacts with company name desc order' do
        get "/api/v1/accounts/#{account.id}/contacts?include_contact_inboxes=false&sort=-company",
            headers: admin.create_new_auth_token,