Merge pull request #3902 from overleaf/sk-ref-providers-hide

Editor: don't leak encrypted tokens to frontend GitOrigin-RevId: 245c1e9d479f7eec2979b46a5959bd3eb9f08363
2026-05-30 12:24:25 +02:00 · 2021-04-21 09:23:46 +01:00
parent 58fbbf6269
commit 07ec567b07
3 changed files with 41 additions and 3 deletions
--- a/services/web/test/unit/src/Project/ProjectControllerTests.js
+++ b/services/web/test/unit/src/Project/ProjectControllerTests.js
@@ -896,7 +896,11 @@ describe('ProjectController', function () {
          fontSize: 'massive',
          theme: 'sexy'
        },
-        email: 'bob@bob.com'
+        email: 'bob@bob.com',
+        refProviders: {
+          mendeley: { encrypted: 'aaaa' },
+          zotero: { encrypted: 'bbbb' }
+        }
      }
      this.ProjectGetter.getProject.callsArgWith(2, null, this.project)
      this.UserModel.findById.callsArgWith(2, null, this.user)
@@ -927,6 +931,17 @@ describe('ProjectController', function () {
      this.ProjectController.loadEditor(this.req, this.res)
    })

+    it('should sanitize refProviders', function (done) {
+      this.res.render = (_pageName, opts) => {
+        expect(opts.user.refProviders).to.deep.equal({
+          mendeley: true,
+          zotero: true
+        })
+        done()
+      }
+      this.ProjectController.loadEditor(this.req, this.res)
+    })
+
    it('should add on userSettings', function (done) {
      this.res.render = (pageName, opts) => {
        opts.userSettings.fontSize.should.equal(this.user.ace.fontSize)