From a868ecf2d264580ef7188c60c34d45ba28e9dce8 Mon Sep 17 00:00:00 2001
From: David Nguyen <davidngu28@gmail.com>
Date: Mon, 12 Feb 2024 18:23:07 +1100
Subject: [PATCH] fix: restrict team verification tokens (#927)

## Description

Currently we're not restricting team transfer and email verification
tokens from flowing into the frontend.

This changes restricts it to only return the required information
instead of the whole data object.
---
 .../[teamUrl]/settings/team-transfer-status.tsx  |  2 +-
 packages/lib/server-only/team/get-team.ts        | 16 ++++++++++++++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/apps/web/src/app/(teams)/t/[teamUrl]/settings/team-transfer-status.tsx b/apps/web/src/app/(teams)/t/[teamUrl]/settings/team-transfer-status.tsx
index cba50966f..92f89c01e 100644
--- a/apps/web/src/app/(teams)/t/[teamUrl]/settings/team-transfer-status.tsx
+++ b/apps/web/src/app/(teams)/t/[teamUrl]/settings/team-transfer-status.tsx
@@ -18,7 +18,7 @@ export type TeamTransferStatusProps = {
   className?: string;
   currentUserTeamRole: TeamMemberRole;
   teamId: number;
-  transferVerification: TeamTransferVerification | null;
+  transferVerification: Pick<TeamTransferVerification, 'email' | 'expiresAt' | 'name'> | null;
 };
 
 export const TeamTransferStatus = ({
diff --git a/packages/lib/server-only/team/get-team.ts b/packages/lib/server-only/team/get-team.ts
index 59331202e..f2fd9cd4f 100644
--- a/packages/lib/server-only/team/get-team.ts
+++ b/packages/lib/server-only/team/get-team.ts
@@ -72,8 +72,20 @@ export const getTeamByUrl = async ({ userId, teamUrl }: GetTeamByUrlOptions) =>
     where: whereFilter,
     include: {
       teamEmail: true,
-      emailVerification: true,
-      transferVerification: true,
+      emailVerification: {
+        select: {
+          expiresAt: true,
+          name: true,
+          email: true,
+        },
+      },
+      transferVerification: {
+        select: {
+          expiresAt: true,
+          name: true,
+          email: true,
+        },
+      },
       subscription: true,
       members: {
         where: {