fix(home): restrict /team fields, remove releases/changelog, add jwt readiness check (#3724 #3725 #3718) (#3735)

* fix(home): restrict /team fields, remove releases/changelog, jwt readiness check (#3724 #3725 #3718)

- #3724: restrict /api/home/team to public-safe fields only (firstName,
  lastName, bio, position, avatar) via positive MongoDB projection in
  repository; drop removeSensitive call in service since projection
  already enforces the whitelist
- #3725: remove releases and changelogs feature entirely — remove
  service functions, controller handlers, routes, config.repos config,
  and all related tests; drop unused axios and js-base64 imports
- #3718: JWT readiness check already present in getReadinessStatus()
  under 'security' category (warns when secret equals known default);
  update tests to match current category list
  ['config','security','auth','mail','billing','analytics','errorTracking']

* fix(home): address review nitpicks on team projection and deps

* fix(home): lean -_id team projection

Author: PierreBrisorgueil

modules/home/config/home.development.config.js

@@ -1,21 +1,3 @@
-const config = {
-  repos: [
-    {
-      // generate releases and changelogs list auto /api/core/changelogs /api/core/releases
-      title: 'Node',
-      owner: 'pierreb-devkit',
-      repo: 'node',
-      changelog: 'CHANGELOG.md',
-      token: null,
-    },
-    {
-      title: 'Vue',
-      owner: 'pierreb-devkit',
-      repo: 'vue',
-      changelog: 'CHANGELOG.md',
-      token: null,
-    },
-  ],
-};
+const config = {};
 
 export default config;

modules/home/controllers/home.controller.js

@@ -7,34 +7,6 @@ import errors from '../../../lib/helpers/errors.js';
 import responses from '../../../lib/helpers/responses.js';
 import HomeService from '../services/home.service.js';
 
-/**
- * @desc Endpoint to ask the service to get the releases
- * @param {Object} req - Express request object
- * @param {Object} res - Express response object
- */
-const releases = async (req, res) => {
-  try {
-    const releases = await HomeService.releases();
-    responses.success(res, 'releases')(releases);
-  } catch (err) {
-    responses.error(res, 422, 'Unprocessable Entity', errors.getMessage(err))(err);
-  }
-};
-
-/**
- * @desc Endpoint to ask the service to get the changelogs
- * @param {Object} req - Express request object
- * @param {Object} res - Express response object
- */
-const changelogs = async (req, res) => {
-  try {
-    const changelogs = await HomeService.changelogs();
-    responses.success(res, 'changelogs')(changelogs);
-  } catch (err) {
-    responses.error(res, 422, 'Unprocessable Entity', errors.getMessage(err))(err);
-  }
-};
-
 /**
  * @desc Endpoint to ask the service to get the list of users
  * @param {Object} req - Express request object
@@ -112,8 +84,6 @@ const readiness = (req, res) => {
 };
 
 export default {
-  releases,
-  changelogs,
   team,
   page,
   pageByName,

modules/home/policies/home.policy.js

@@ -15,7 +15,7 @@ export function homeSubjectRegistration({ registerPathSubject }) {
 
 /**
  * Define home-related abilities for an authenticated user.
- * All authenticated users can read home content (releases, changelogs, team, pages).
+ * All authenticated users can read home content (team, pages).
  * @param {Object} user - The authenticated user
  * @param {Object|null} membership - Optional organization membership (reserved for future use)
  * @param {Object} builder - CASL AbilityBuilder helpers
@@ -30,7 +30,7 @@ export function homeAbilities(user, membership, { can }) {
 
 /**
  * Define home-related abilities for unauthenticated guests.
- * Guests can read all home content (releases, changelogs, team, pages).
+ * Guests can read all home content (team, pages).
  * @param {Object} builder - CASL AbilityBuilder helpers
  * @param {Function} builder.can - Grant an ability
  */

modules/home/repositories/home.repository.js

@@ -9,7 +9,7 @@ const User = mongoose.model('User');
  * @desc Function to get all user in db
  * @return {Array} All users
  */
-const team = () => User.find({ roles: 'admin' }, '-password -providerData -complementary').sort('-createdAt').exec();
+const team = () => User.find({ roles: 'admin' }, 'firstName lastName bio position avatar -_id').lean().sort('-createdAt').exec();
 
 export default {
   team,

modules/home/routes/home.route.js

@@ -27,11 +27,7 @@ const optionalAuth = (req, res, next) => {
 export default (app) => {
   // health check — public, enriched response for admins
   app.route('/api/health').get(optionalAuth, home.health);
-  // changelogs
-  app.route('/api/home/releases').all(policy.isAllowed).get(home.releases);
-  // changelogs
-  app.route('/api/home/changelogs').all(policy.isAllowed).get(home.changelogs);
-  // changelogs
+  // team — public staff page
   app.route('/api/home/team').all(policy.isAllowed).get(home.team);
   // markdown files
   app.route('/api/home/pages/:name').all(policy.isAllowed).get(home.page);

modules/home/services/home.service.js

@@ -1,17 +1,14 @@
 /**
  * Module dependencies
  */
-import axios from 'axios';
 import path from 'path';
 import _ from 'lodash';
-import { Base64 } from 'js-base64';
 import { promises as fs } from 'fs';
 import mongoose from 'mongoose';
 
 import config from '../../../config/index.js';
 import mailer from '../../../lib/helpers/mailer/index.js';
 import HomeRepository from '../repositories/home.repository.js';
-import { removeSensitive } from '../../users/utils/sanitizeUser.js';
 
 /**
  * @desc Check whether a config value is meaningfully set (non-empty, not a DEVKIT placeholder).
@@ -38,62 +35,11 @@ const page = async (name) => {
 };
 
 /**
- * @desc Fetch releases from configured GitHub repos. Returns an empty array on API failure (graceful degradation).
- * @return {Promise<Array<{title: string, list: Array}>>} Releases grouped by repo, or [] on error
+ * @desc Function to get all admin users in db, returning only public-safe fields.
+ * Uses a lean projection so no Mongoose virtuals (e.g. `id`) can re-introduce hidden fields.
+ * @returns {Promise<Array<{firstName: string, lastName: string, bio: string, position: string, avatar: string}>>} Public user profiles
  */
-const releases = async () => {
-  try {
-    const requests = config.repos.map((item) =>
-      axios.get(`https://api.github.com/repos/${item.owner}/${item.repo}/releases`, {
-        headers: item.token ? { Authorization: `token ${item.token}` } : {},
-      }),
-    );
-    let results = await axios.all(requests);
-    results = results.map((result, i) => ({
-      title: config.repos[i].title,
-      list: result.data.map((release) => ({
-        name: release.name,
-        prerelease: release.prerelease,
-        published_at: release.published_at,
-      })),
-    }));
-    return results;
-  } catch (_err) {
-    return [];
-  }
-};
-
-/**
- * @desc Fetch changelogs from configured GitHub repos. Returns an empty array on API failure (graceful degradation).
- * @return {Promise<Array<{title: string, markdown: string}>>} Changelogs grouped by repo, or [] on error
- */
-const changelogs = async () => {
-  try {
-    const repos = _.filter(config.repos, (repo) => repo.changelog);
-    const requests = repos.map((item) =>
-      axios.get(`https://api.github.com/repos/${item.owner}/${item.repo}/contents/${item.changelog}`, {
-        headers: item.token ? { Authorization: `token ${item.token}` } : {},
-      }),
-    );
-    let results = await axios.all(requests);
-    results = results.map((result, i) => ({
-      title: repos[i].title,
-      markdown: Base64.decode(result.data.content),
-    }));
-    return results;
-  } catch (_err) {
-    return [];
-  }
-};
-
-/**
- * @desc Function to get all admin users in db
- * @returns {Promise<Array>} All users (sanitized)
- */
-const team = async () => {
-  const result = await HomeRepository.team();
-  return result.map((user) => removeSensitive(user));
-};
+const team = async () => HomeRepository.team();
 
 /**
  * @desc Build health status including database connectivity.
@@ -183,8 +129,6 @@ const getReadinessStatus = () => {
 
 export default {
   page,
-  releases,
-  changelogs,
   team,
   getHealthStatus,
   getReadinessStatus,

modules/home/tests/home.integration.tests.js

@@ -2,7 +2,6 @@
  * Module dependencies.
  */
 import { jest } from '@jest/globals';
-import axios from 'axios';
 import jwt from 'jsonwebtoken';
 import mongoose from 'mongoose';
 import path from 'path';
@@ -26,16 +25,6 @@ describe('Home integration tests:', () => {
 
   //  init
   beforeAll(async () => {
-    // Mock GitHub API calls to avoid real network requests in tests
-    jest.spyOn(axios, 'get').mockImplementation(async (url) => {
-      if (url.includes('/releases')) {
-        return { data: [{ name: 'v1.0.0', prerelease: false, published_at: '2024-01-01T00:00:00Z' }] };
-      }
-      if (url.includes('/contents/')) {
-        return { data: { content: Buffer.from('# Changelog\n## v1.0.0\n- First release').toString('base64') } };
-      }
-      throw new Error(`Unexpected GitHub API URL: ${url}`);
-    });
     try {
       originalOrganizationsEnabled = config.organizations.enabled;
       config.organizations.enabled = false;
@@ -79,26 +68,20 @@ describe('Home integration tests:', () => {
   // into later describes (#3472). Auth-required cases still use explicit
   // `set('Cookie', 'TOKEN=...')` headers derived from JWTs.
   describe('Logout', () => {
-    test('should be able to get releases', async () => {
-      const result = await request(app).get('/api/home/releases').expect(200);
-      expect(result.body.type).toBe('success');
-      expect(result.body.message).toBe('releases');
-      expect(result.body.data).toBeInstanceOf(Array);
-    });
-
-    test('should be able to get changelogs', async () => {
-      const result = await request(app).get('/api/home/changelogs').expect(200);
-      expect(result.body.type).toBe('success');
-      expect(result.body.message).toBe('changelogs');
-      expect(result.body.data).toBeInstanceOf(Array);
-    });
-
-    test('should be able to get team members', async () => {
+    test('should be able to get team members with public fields only', async () => {
       try {
         const result = await request(app).get('/api/home/team').expect(200);
         expect(result.body.type).toBe('success');
         expect(result.body.message).toBe('team list');
         expect(result.body.data).toBeInstanceOf(Array);
+        // Assert the strict public-field allowlist: every key must be one of these,
+        // so no unexpected field (incl. _id / id / sensitive data) can ever leak.
+        const ALLOWED_FIELDS = new Set(['firstName', 'lastName', 'bio', 'position', 'avatar']);
+        result.body.data.forEach((member) => {
+          Object.keys(member).forEach((key) => {
+            expect(ALLOWED_FIELDS.has(key)).toBe(true);
+          });
+        });
       } catch (err) {
         expect(err).toBeFalsy();
         console.log(err);
@@ -131,51 +114,6 @@ describe('Home integration tests:', () => {
       }
     });
 
-    test('should return empty releases gracefully when GitHub API fails', async () => {
-      axios.get.mockRejectedValueOnce(new Error('GitHub API unavailable'));
-      const result = await request(app).get('/api/home/releases').expect(200);
-      expect(result.body.type).toBe('success');
-      expect(result.body.message).toBe('releases');
-      expect(result.body.data).toEqual([]);
-    });
-
-    test('should return empty changelogs gracefully when GitHub API fails', async () => {
-      axios.get.mockRejectedValueOnce(new Error('GitHub API unavailable'));
-      const result = await request(app).get('/api/home/changelogs').expect(200);
-      expect(result.body.type).toBe('success');
-      expect(result.body.message).toBe('changelogs');
-      expect(result.body.data).toEqual([]);
-    });
-
-    test('should use Authorization header when a token is configured for releases', async () => {
-      const originalRepos = config.repos;
-      axios.get.mockClear();
-      // Temporarily set a fake token to cover the token-truthy branch in home.service releases()
-      config.repos = originalRepos.map((repo) => ({ ...repo, token: 'fake-test-token' }));
-      const result = await request(app).get('/api/home/releases').expect(200);
-      expect(result.body.type).toBe('success');
-      const releaseCalls = axios.get.mock.calls.filter(([url]) => url.includes('/releases'));
-      expect(releaseCalls.length).toBeGreaterThan(0);
-      releaseCalls.forEach(([, options]) => {
-        expect(options.headers.Authorization).toBe('token fake-test-token');
-      });
-      config.repos = originalRepos;
-    });
-
-    test('should use Authorization header when a token is configured for changelogs', async () => {
-      const originalRepos = config.repos;
-      axios.get.mockClear();
-      config.repos = originalRepos.map((repo) => ({ ...repo, token: 'fake-test-token' }));
-      const result = await request(app).get('/api/home/changelogs').expect(200);
-      expect(result.body.type).toBe('success');
-      const changelogCalls = axios.get.mock.calls.filter(([url]) => url.includes('/contents/'));
-      expect(changelogCalls.length).toBeGreaterThan(0);
-      changelogCalls.forEach(([, options]) => {
-        expect(options.headers.Authorization).toBe('token fake-test-token');
-      });
-      config.repos = originalRepos;
-    });
-
     test('should return minimal health status without auth', async () => {
       const result = await request(app).get('/api/health').expect(200);
       expect(result.body.type).toBe('success');

modules/home/tests/home.service.unit.tests.js

@@ -25,10 +25,6 @@ describe('HomeService.getReadinessStatus unit tests:', () => {
       default: { team: jest.fn().mockResolvedValue([]) },
     }));
 
-    // Mock axios to avoid real network calls
-    jest.unstable_mockModule('axios', () => ({
-      default: { get: jest.fn().mockResolvedValue({ data: [] }), all: jest.fn().mockResolvedValue([]) },
-    }));
   });
 
   afterEach(() => {