From 1b2c55508ee7d4abb56dd2de6bc9e767d127d1e8 Mon Sep 17 00:00:00 2001
From: Massedil <massedil-framagit.org@msd.im>
Date: Mon, 19 May 2025 18:37:44 +0200
Subject: [PATCH] Prevent access to confirmation_token and reset_password_token
 via GraphQL API

Those tokens do not need to be exposed to authenticated users, not even admin users.

Fixes #1761
---
 lib/graphql/schema/user.ex | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/lib/graphql/schema/user.ex b/lib/graphql/schema/user.ex
index 71c019ed4..91936b659 100644
--- a/lib/graphql/schema/user.ex
+++ b/lib/graphql/schema/user.ex
@@ -40,16 +40,10 @@ defmodule Mobilizon.GraphQL.Schema.UserType do
       description: "The datetime the last activation/confirmation token was sent"
     )
 
-    field(:confirmation_token, :string, description: "The account activation/confirmation token")
-
     field(:reset_password_sent_at, :datetime,
       description: "The datetime last reset password email was sent"
     )
 
-    field(:reset_password_token, :string,
-      description: "The token sent when requesting password token"
-    )
-
     field(:feed_tokens, list_of(:feed_token),
       resolve:
         dataloader(