Strapi graphql would leak users email

Questions and Answers
1
System Information
  • Strapi Version: 4.1.5
  • Operating System: macos
  • Database: mysql
  • Node Version: 16.14.0
  • NPM Version: 8.3.1
  • Yarn Version: 1.22.17

I have a comment api that has a relation with userPermissionUser model which has email field.

strapi graphql would automatically create a Query endpoint for comments and client application can query users information as much as they want.

You can disable email field with shadow CRUD like this. However, if you do this, it will remove email from all graphql response which means updateUser returns payload without email.
That makes the all other graphql endpoint pretty useless.

    strapi
      .plugin('graphql')
      .service('extension')
      .shadowCRUD('plugin::users-permissions.user')
      .field('email')
      .disable();

I digged around and tried to find a way to handle this. Policy or middleware none of them can customize endpoint for that.

If you are not careful, your users’ email account can leak to public by calling all the comments with author.email.

So be careful.
I am not sure if strapi would provide a way to handle in the future but for now, there is no way.

Please let me know if I am missing something :slight_smile:
have a good day!

2

I was wrong.
You can place a middleware in chaining resolvers like this and you can unset author.email there so that it does not return emails in the response.

    'ProductReview.author': {
      auth: false,
      middlewares: [
        async (resolve, parent, ...rest) => {
          const response = await resolve(parent, ...rest);

          if (parent) {
            response.value = pick(response.value, ['id', 'username']);
          }

          return response;
        },
      ],
    }
1 Like