Prevent access to confirmation_token and reset_password_token via GraphQL API

Those tokens do not need to be exposed to authenticated users, not even admin users. Fixes #1761
2025-05-19 18:37:44 +02:00
parent 5f92ff3ede
commit 1b2c55508e
1 changed files with 0 additions and 6 deletions
--- a/lib/graphql/schema/user.ex
+++ b/lib/graphql/schema/user.ex
@@ -40,16 +40,10 @@ defmodule Mobilizon.GraphQL.Schema.UserType do
      description: "The datetime the last activation/confirmation token was sent"
    )

-    field(:confirmation_token, :string, description: "The account activation/confirmation token")
-
    field(:reset_password_sent_at, :datetime,
      description: "The datetime last reset password email was sent"
    )

-    field(:reset_password_token, :string,
-      description: "The token sent when requesting password token"
-    )
-
    field(:feed_tokens, list_of(:feed_token),
      resolve:
        dataloader(