fix: mask recipient tokens for non-owners

packages/lib/server-only/document/find-documents.ts

@@ -7,6 +7,7 @@ import { SigningStatus } from '@documenso/prisma/client';
 import { ExtendedDocumentStatus } from '@documenso/prisma/types/extended-document-status';
 
 import type { FindResultSet } from '../../types/find-result-set';
+import { maskRecipientTokensForDocument } from '../../utils/mask-recipient-tokens-for-document';
 
 export type FindDocumentsOptions = {
   userId: number;
@@ -173,8 +174,15 @@ export const findDocuments = async ({
     }),
   ]);
 
+  const maskedData = data.map((document) =>
+    maskRecipientTokensForDocument({
+      document,
+      user,
+    }),
+  );
+
   return {
-    data,
+    data: maskedData,
     count,
     currentPage: Math.max(page, 1),
     perPage,

packages/lib/server-only/document/update-document.ts

@@ -5,14 +5,16 @@ import type { Prisma } from '@prisma/client';
 import { prisma } from '@documenso/prisma';
 
 export type UpdateDocumentOptions = {
-  documentId: number;
   data: Prisma.DocumentUpdateInput;
+  userId: number;
+  documentId: number;
 };
 
-export const updateDocument = async ({ documentId, data }: UpdateDocumentOptions) => {
+export const updateDocument = async ({ documentId, userId, data }: UpdateDocumentOptions) => {
   return await prisma.document.update({
     where: {
       id: documentId,
+      userId,
     },
     data: {
       ...data,

packages/lib/utils/mask-recipient-tokens-for-document.ts

@@ -0,0 +1,38 @@
+import type { User } from '@documenso/prisma/client';
+import type { DocumentWithRecipients } from '@documenso/prisma/types/document-with-recipient';
+
+export type MaskRecipientTokensForDocumentOptions<T extends DocumentWithRecipients> = {
+  document: T;
+  user?: User;
+  token?: string;
+};
+
+export const maskRecipientTokensForDocument = <T extends DocumentWithRecipients>({
+  document,
+  user,
+  token,
+}: MaskRecipientTokensForDocumentOptions<T>) => {
+  const maskedRecipients = document.Recipient.map((recipient) => {
+    if (document.userId === user?.id) {
+      return recipient;
+    }
+
+    if (recipient.email === user?.email) {
+      return recipient;
+    }
+
+    if (recipient.token === token) {
+      return recipient;
+    }
+
+    return {
+      ...recipient,
+      token: '',
+    };
+  });
+
+  return {
+    ...document,
+    Recipient: maskedRecipients,
+  };
+};

packages/prisma/seed/initial-seed.ts

@@ -18,6 +18,7 @@ export const seedDatabase = async () => {
     create: {
       name: 'Example User',
       email: 'example@documenso.com',
+      emailVerified: new Date(),
       password: hashSync('password'),
       roles: [Role.USER],
     },
@@ -31,6 +32,7 @@ export const seedDatabase = async () => {
     create: {
       name: 'Admin User',
       email: 'admin@documenso.com',
+      emailVerified: new Date(),
       password: hashSync('password'),
       roles: [Role.USER, Role.ADMIN],
     },