🚑 Fix security call client-side

panoratech · Jun 25, 2024 · dd15004 · dd15004
1 parent 33441cc
commit dd15004
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/packages/api/src/@core/connections-strategies/connections-strategies.controller.ts b/packages/api/src/@core/connections-strategies/connections-strategies.controller.ts
@@ -128,7 +128,7 @@ export class ConnectionsStrategiesController {
     @Query('projectId') projectId: string,
     @Query('type') type: string,
   ) {
-    return await this.connectionsStrategiesService.getCredentials(
+    return await this.connectionsStrategiesService.getSafeCredentials(
       projectId,
       type,
     );

diff --git a/packages/api/src/@core/connections-strategies/connections-strategies.service.ts b/packages/api/src/@core/connections-strategies/connections-strategies.service.ts
@@ -15,6 +15,7 @@ import {
   extractVertical,
   needsSubdomain,
   CONNECTORS_METADATA,
+  OAuth2AuthData,
 } from '@panora/shared';
 import { SoftwareMode } from '@panora/shared';
 import { v4 as uuidv4 } from 'uuid';
@@ -308,7 +309,29 @@ export class ConnectionsStrategiesService {
     }
   }
 
-  async getCredentials(projectId: string, type: string) {
+  isOAuth2AuthData(data: AuthData): data is OAuth2AuthData {
+    return (
+      (data as OAuth2AuthData).CLIENT_ID !== undefined &&
+      (data as OAuth2AuthData).CLIENT_SECRET !== undefined
+    );
+  }
+
+  async getSafeCredentials(projectId: string, type: string) {
+    try {
+      const res = await this.getCredentials(projectId, type);
+
+      if (this.isOAuth2AuthData(res)) {
+        const { CLIENT_SECRET, ...safeData } = res;
+        return safeData;
+      }
+
+      return res;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  async getCredentials(projectId: string, type: string): Promise<AuthData> {
     try {
       const isCustomCred = await this.isCustomCredentials(projectId, type);
       const provider = extractProvider(type);