fix(home): address review nitpicks on team projection and deps

PierreBrisorgueil · PierreBrisorgueil · commit 8ff5d3e64cfc · 2026-05-29T13:34:54.000+02:00
diff --git a/modules/home/services/home.service.js b/modules/home/services/home.service.js
@@ -36,12 +36,10 @@ const page = async (name) => {
 
 /**
  * @desc Function to get all admin users in db, returning only public-safe fields.
- * @returns {Promise<Array>} Public user profiles (firstName, lastName, bio, position, avatar)
+ * Uses a lean projection so no Mongoose virtuals (e.g. `id`) can re-introduce hidden fields.
+ * @returns {Promise<Array<{firstName: string, lastName: string, bio: string, position: string, avatar: string}>>} Public user profiles
  */
-const team = async () => {
-  const result = await HomeRepository.team();
-  return result.map((user) => (typeof user.toJSON === 'function' ? user.toJSON() : user));
-};
+const team = async () => HomeRepository.team();
 
 /**
  * @desc Build health status including database connectivity.
diff --git a/modules/home/tests/home.integration.tests.js b/modules/home/tests/home.integration.tests.js
@@ -74,14 +74,13 @@ describe('Home integration tests:', () => {
         expect(result.body.type).toBe('success');
         expect(result.body.message).toBe('team list');
         expect(result.body.data).toBeInstanceOf(Array);
-        // Verify no sensitive fields are exposed
+        // Assert the strict public-field allowlist: every key must be one of these,
+        // so no unexpected field (incl. _id / id / sensitive data) can ever leak.
+        const ALLOWED_FIELDS = new Set(['firstName', 'lastName', 'bio', 'position', 'avatar']);
         result.body.data.forEach((member) => {
-          expect(member).not.toHaveProperty('email');
-          expect(member).not.toHaveProperty('emailVerified');
-          expect(member).not.toHaveProperty('lastLoginAt');
-          expect(member).not.toHaveProperty('roles');
-          expect(member).not.toHaveProperty('password');
-          expect(member).not.toHaveProperty('providerData');
+          Object.keys(member).forEach((key) => {
+            expect(ALLOWED_FIELDS.has(key)).toBe(true);
+          });
         });
       } catch (err) {
         expect(err).toBeFalsy();
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -51,7 +51,6 @@
   "dependencies": {
     "@casl/ability": "^7.0.0",
     "@jest/globals": "^30.4.1",
-    "axios": "^1.16.1",
     "bcrypt": "^6.0.0",
     "bson": "^7.2.0",
     "chalk": "^5.6.2",
@@ -68,7 +67,6 @@
     "helmet": "~8.2.0",
     "inquirer": "^13.4.3",
     "jest-environment-jsdom": "^30.4.1",
-    "js-base64": "^3.7.8",
     "js-yaml": "^4.1.1",
     "jsonwebtoken": "^9.0.3",
     "lodash": "^4.18.1",
