fix(core): Remove sensitive data from User entity during serialization (no-changelog) (#8773)

packages/cli/src/databases/entities/User.ts

@@ -141,4 +141,9 @@ export class User extends WithTimestamps implements IUser {
 			scopeOptions,
 		);
 	}
+
+	toJSON() {
+		const { password, apiKey, mfaSecret, mfaRecoveryCodes, ...rest } = this;
+		return rest;
+	}
 }

packages/cli/test/unit/databases/entities/user.entity.test.ts

@@ -0,0 +1,20 @@
+import { User } from '@db/entities/User';
+
+describe('User Entity', () => {
+	describe('JSON.stringify', () => {
+		it('should not serialize sensitive data', () => {
+			const user = Object.assign(new User(), {
+				email: 'test@example.com',
+				firstName: 'Don',
+				lastName: 'Joe',
+				password: '123456789',
+				apiKey: '123',
+				mfaSecret: '123',
+				mfaRecoveryCodes: ['123'],
+			});
+			expect(JSON.stringify(user)).toEqual(
+				'{"email":"test@example.com","firstName":"Don","lastName":"Joe"}',
+			);
+		});
+	});
+});