Merge pull request #3858 from overleaf/ab-ae-remove-token-project-invite

Remove token from project invites object returned to frontend

GitOrigin-RevId: 439fdb6fb44af1f46a9f16c4be8cc1d4fce8b562

services/web/app/src/Features/Project/ProjectEditorHandler.js

@@ -49,7 +49,9 @@ module.exports = ProjectEditorHandler = {
     if (result.invites == null) {
       result.invites = []
     }
-
+    result.invites.forEach(invite => {
+      delete invite.token
+    })
     ;({ owner, ownerFeatures, members } = this.buildOwnerAndMembersViews(
       members
     ))

services/web/test/unit/src/Project/ProjectEditorHandlerTests.js

@@ -97,20 +97,22 @@ describe('ProjectEditorHandler', function() {
         _id: 'invite_one',
         email: 'user-one@example.com',
         privileges: 'readOnly',
-        projectId: this.project._id
+        projectId: this.project._id,
+        token: 'my-secret-token1'
       },
       {
         _id: 'invite_two',
         email: 'user-two@example.com',
         privileges: 'readOnly',
-        projectId: this.project._id
+        projectId: this.project._id,
+        token: 'my-secret-token2'
       }
     ]
     return (this.handler = SandboxedModule.require(modulePath))
   })
 
   describe('buildProjectModelView', function() {
-    describe('with owner and members included', function() {
+    describe('with owner, members and invites included', function() {
       beforeEach(function() {
         return (this.result = this.handler.buildProjectModelView(
           this.project,
@@ -159,6 +161,11 @@ describe('ProjectEditorHandler', function() {
         ])
       })
 
+      it('invites should not include the token', function() {
+        should.not.exist(this.result.invites[0].token)
+        should.not.exist(this.result.invites[1].token)
+      })
+
       it('should gather readOnly_refs and collaberators_refs into a list of members', function() {
         const findMember = id => {
           for (let member of Array.from(this.result.members)) {