fix(users): admin GET /users/:id no longer leaks password hash and tokens (#3731)

PierreBrisorgueil · web-flow · commit b08e9a382c4c · 2026-05-29T14:48:32.000+02:00
* fix(users): admin GET /users/:id no longer leaks password hash and tokens `get` handler called `req.model.toJSON()` (raw Mongoose doc, no strip) while `list` correctly used `UserService.removeSensitive`. Aligns `get` with `list` by routing through `removeSensitive`. Adds an integration test asserting `password`, `resetPasswordToken`, `emailVerificationToken`, and `salt` are absent from the response. Closes #3723 * test(users): seed tokens before PII-leak assertion to make regression meaningful The previous assertion would pass vacuously when resetPasswordToken and emailVerificationToken are absent on the user. Seed both fields via updateById before the admin GET so the test proves the leak is actually blocked, not just that the fields were never present. Addresses: #3731 (comment)...
diff --git a/modules/users/controllers/users.admin.controller.js b/modules/users/controllers/users.admin.controller.js
@@ -41,7 +41,7 @@ const list = async (req, res) => {
  */
 const get = async (req, res) => {
   try {
-    const user = req.model ? req.model.toJSON() : {};
+    const user = req.model ? UserService.removeSensitive(req.model) : {};
     const memberships = await MembershipService.listByUser(user._id || user.id);
     user.memberships = memberships.map((m) => {
       const obj = m.toJSON ? m.toJSON() : { ...m };
diff --git a/modules/users/tests/user.admin.integration.tests.js b/modules/users/tests/user.admin.integration.tests.js
@@ -225,6 +225,46 @@ describe('User admin integration tests:', () => {
       }
     });
 
+    test('should not expose sensitive fields (password, tokens) in admin GET /users/:id', async () => {
+      try {
+        userEdited = await signupAndPromoteAdmin(agent, { ..._userEdited, roles: ['user', 'admin'] });
+      } catch (err) {
+        console.log(err);
+        expect(err).toBeFalsy();
+      }
+
+      // Seed token fields so the regression test is meaningful — without this,
+      // the assertions pass vacuously because the fields are simply absent.
+      try {
+        await UserService.updateById(userEdited._id, {
+          resetPasswordToken: 'test-reset-token',
+          emailVerificationToken: 'test-verification-token',
+        });
+      } catch (err) {
+        console.log(err);
+        expect(err).toBeFalsy();
+      }
+
+      try {
+        const result = await agent.get(`/api/admin/users/${userEdited._id}`).expect(200);
+        expect(result.body.data).toBeInstanceOf(Object);
+        expect(result.body.data.password).toBeUndefined();
+        expect(result.body.data.resetPasswordToken).toBeUndefined();
+        expect(result.body.data.emailVerificationToken).toBeUndefined();
+        expect(result.body.data.salt).toBeUndefined();
+      } catch (err) {
+        console.log(err);
+        expect(err).toBeFalsy();
+      }
+
+      try {
+        await UserService.remove(userEdited);
+      } catch (err) {
+        console.log(err);
+        expect(err).toBeFalsy();
+      }
+    });
+
     test('should be able to update a single user details if admin', async () => {
       try {
         userEdited = await signupAndPromoteAdmin(agent, { ..._userEdited, roles: ['user', 'admin'] });
