From 91445d8ec2438bbee030e42e1ef6390065aeac1b Mon Sep 17 00:00:00 2001 From: VarshithReddy2006 Date: Fri, 5 Jun 2026 19:09:51 +0530 Subject: [PATCH 1/3] fix: block verification field updates in profile endpoint --- apps/public-api/src/controllers/userAuth.controller.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/public-api/src/controllers/userAuth.controller.js b/apps/public-api/src/controllers/userAuth.controller.js index 55d27571..c9018bb1 100644 --- a/apps/public-api/src/controllers/userAuth.controller.js +++ b/apps/public-api/src/controllers/userAuth.controller.js @@ -1533,6 +1533,10 @@ module.exports.updateProfile = async (req, res) => { delete updateData.email; delete updateData._id; + delete updateData.emailVerified; + delete updateData.isVerified; + delete updateData.isverified; + if (updateData.username !== undefined) { const username = updateData.username; if (typeof username !== 'string' || username.length < 3 || username.length > 50) { From 23e584c812b41ea7cd8d90fc35e2074a5386b32e Mon Sep 17 00:00:00 2001 From: VarshithReddy2006 Date: Sat, 6 Jun 2026 06:54:10 +0530 Subject: [PATCH 2/3] fix: use allowlist for profile updates --- .../src/controllers/userAuth.controller.js | 35 +++++++++++++++---- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/apps/public-api/src/controllers/userAuth.controller.js b/apps/public-api/src/controllers/userAuth.controller.js index c9018bb1..20a6801a 100644 --- a/apps/public-api/src/controllers/userAuth.controller.js +++ b/apps/public-api/src/controllers/userAuth.controller.js @@ -1528,14 +1528,35 @@ module.exports.updateProfile = async (req, res) => { return res.status(401).json({ error: "Access Denied: Invalid or expired token" }); } - const updateData = { ...req.body }; - delete updateData.password; - delete updateData.email; - delete updateData._id; + const usersColConfig = project.collections.find( + c => c.name === 'users' + ); - delete updateData.emailVerified; - delete updateData.isVerified; - delete updateData.isverified; + if (!usersColConfig) { + return res.status(404).json({ + error: "Auth collection not found" + }); + } + const restrictedFields = [ + '_id', + 'password', + 'email', + 'emailVerified', + 'isVerified', + 'isverified' + ]; + + const allowedFields = (usersColConfig?.model || []) + .map(field => field?.key) + .filter(key => key && !restrictedFields.includes(key)); + + const updateData = {}; + + for (const field of allowedFields) { + if (req.body[field] !== undefined) { + updateData[field] = req.body[field]; + } + } if (updateData.username !== undefined) { const username = updateData.username; From b8054a48061fa12ddc4752146513fd85bf30e42e Mon Sep 17 00:00:00 2001 From: VarshithReddy2006 Date: Sat, 6 Jun 2026 07:05:04 +0530 Subject: [PATCH 3/3] fix: use allowlist for profile updates --- apps/public-api/src/controllers/userAuth.controller.js | 3 --- 1 file changed, 3 deletions(-) diff --git a/apps/public-api/src/controllers/userAuth.controller.js b/apps/public-api/src/controllers/userAuth.controller.js index 20a6801a..da94a698 100644 --- a/apps/public-api/src/controllers/userAuth.controller.js +++ b/apps/public-api/src/controllers/userAuth.controller.js @@ -1567,9 +1567,6 @@ module.exports.updateProfile = async (req, res) => { const sanitizedUpdateData = sanitize(updateData); - const usersColConfig = project.collections.find(c => c.name === 'users'); - if (!usersColConfig) return res.status(404).json({ error: "Auth collection not found" }); - const connection = await getConnection(project._id); const Model = getCompiledModel(connection, usersColConfig, project._id, project.resources.db.isExternal);