diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 89ccb1e30a..7481c6bb05 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -1845,6 +1845,9 @@ App::post('/v1/account/tokens/magic-url') 'team' => '', ]; + // Hide secret for clients + $token->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $tokenSecret : ''); + $queueForMails ->setSubject($subject) ->setBody($body) @@ -1853,23 +1856,16 @@ App::post('/v1/account/tokens/magic-url') ->trigger(); $queueForEvents->setPayload( - $response->output( - $token->setAttribute('secret', $tokenSecret), - Response::MODEL_TOKEN - ) + $response->output($token, Response::MODEL_TOKEN) ); - // Hide secret for clients - $token->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $tokenSecret : ''); - if (!empty($phrase)) { $token->setAttribute('phrase', $phrase); } $response ->setStatusCode(Response::STATUS_CODE_CREATED) - ->dynamic($token, Response::MODEL_TOKEN) - ; + ->dynamic($token, Response::MODEL_TOKEN); }); App::post('/v1/account/tokens/email') @@ -2074,6 +2070,9 @@ App::post('/v1/account/tokens/email') 'team' => '', ]; + // Hide secret for clients + $token->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $tokenSecret : ''); + $queueForMails ->setSubject($subject) ->setBody($body) @@ -2082,23 +2081,16 @@ App::post('/v1/account/tokens/email') ->trigger(); $queueForEvents->setPayload( - $response->output( - $token->setAttribute('secret', $tokenSecret), - Response::MODEL_TOKEN - ) + $response->output($token, Response::MODEL_TOKEN) ); - // Hide secret for clients - $token->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $tokenSecret : ''); - if (!empty($phrase)) { $token->setAttribute('phrase', $phrase); } $response ->setStatusCode(Response::STATUS_CODE_CREATED) - ->dynamic($token, Response::MODEL_TOKEN) - ; + ->dynamic($token, Response::MODEL_TOKEN); }); App::put('/v1/account/sessions/magic-url') @@ -2309,6 +2301,9 @@ App::post('/v1/account/tokens/phone') ], ]); + // Hide secret for clients + $token->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? Auth::encodeSession($user->getId(), $secret) : ''); + $queueForMessaging ->setType(MESSAGE_SEND_TYPE_INTERNAL) ->setMessage($messageDoc) @@ -2316,19 +2311,12 @@ App::post('/v1/account/tokens/phone') ->setProviderType(MESSAGE_TYPE_SMS); $queueForEvents->setPayload( - $response->output( - $token->setAttribute('secret', $secret), - Response::MODEL_TOKEN - ) + $response->output($token, Response::MODEL_TOKEN) ); - // Hide secret for clients - $token->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? Auth::encodeSession($user->getId(), $secret) : ''); - $response ->setStatusCode(Response::STATUS_CODE_CREATED) - ->dynamic($token, Response::MODEL_TOKEN) - ; + ->dynamic($token, Response::MODEL_TOKEN); }); App::post('/v1/account/jwt') @@ -2968,6 +2956,9 @@ App::post('/v1/account/recovery') 'team' => '' ]; + // Hide secret for clients + $recovery->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $secret : ''); + $queueForMails ->setRecipient($profile->getAttribute('email', '')) ->setName($profile->getAttribute('name', '')) @@ -2980,14 +2971,7 @@ App::post('/v1/account/recovery') ->setParam('userId', $profile->getId()) ->setParam('tokenId', $recovery->getId()) ->setUser($profile) - ->setPayload($response->output( - $recovery->setAttribute('secret', $secret), - Response::MODEL_TOKEN - )) - ; - - // Hide secret for clients - $recovery->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $secret : ''); + ->setPayload($response->output($recovery, Response::MODEL_TOKEN)); $response ->setStatusCode(Response::STATUS_CODE_CREATED) @@ -3158,6 +3142,7 @@ App::post('/v1/account/verification') ->setParam('{{footer}}', $locale->getText("emails.verification.footer")) ->setParam('{{thanks}}', $locale->getText("emails.verification.thanks")) ->setParam('{{signature}}', $locale->getText("emails.verification.signature")); + $body = $message->render(); $smtp = $project->getAttribute('smtp', []); @@ -3216,6 +3201,9 @@ App::post('/v1/account/verification') 'team' => '', ]; + // Hide secret for clients + $verification->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $verificationSecret : ''); + $queueForMails ->setSubject($subject) ->setBody($body) @@ -3227,13 +3215,7 @@ App::post('/v1/account/verification') $queueForEvents ->setParam('userId', $user->getId()) ->setParam('tokenId', $verification->getId()) - ->setPayload($response->output( - $verification->setAttribute('secret', $verificationSecret), - Response::MODEL_TOKEN - )); - - // Hide secret for clients - $verification->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $verificationSecret : ''); + ->setPayload($response->output($verification, Response::MODEL_TOKEN)); $response ->setStatusCode(Response::STATUS_CODE_CREATED) @@ -3389,6 +3371,9 @@ App::post('/v1/account/verification/phone') ], ]); + // Hide secret for clients + $verification->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $secret : ''); + $queueForMessaging ->setType(MESSAGE_SEND_TYPE_INTERNAL) ->setMessage($messageDoc) @@ -3398,14 +3383,7 @@ App::post('/v1/account/verification/phone') $queueForEvents ->setParam('userId', $user->getId()) ->setParam('tokenId', $verification->getId()) - ->setPayload($response->output( - $verification->setAttribute('secret', $secret), - Response::MODEL_TOKEN - )) - ; - - // Hide secret for clients - $verification->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $secret : ''); + ->setPayload($response->output($verification, Response::MODEL_TOKEN)); $response ->setStatusCode(Response::STATUS_CODE_CREATED)