fix: stop leaking user's password and their apikey to admins

2 files changed, 7 insertions, 2 deletions

diff --git a/src/api/routes/admin/userGET.js b/src/api/routes/admin/userGET.js
index 30c79f4..2fb80d1 100644
--- a/src/api/routes/admin/userGET.js
+++ b/src/api/routes/admin/userGET.js
@@ -11,7 +11,10 @@ class usersGET extends Route {
 		if (!id) return res.status(400).json({ message: 'Invalid user ID supplied' });
 
 		try {
-			const user = await db.table('users').where({ id }).first();
+			const user = await db.table('users')
+				.select('id, username, enabled, createdAt, editeadAt, apiKeyEditedAt, isAdmin')
+				.where({ id })
+				.first();
 			const files = await db.table('files')
 				.where({ userId: user.id })
 				.orderBy('id', 'desc');
diff --git a/src/api/structures/Route.js b/src/api/structures/Route.js
index 400ae3d..6be0dc7 100644
--- a/src/api/structures/Route.js
+++ b/src/api/structures/Route.js
@@ -77,7 +77,9 @@ class Route {
 				.where({ id })
 				.first();
 			if (!user) return res.status(401).json({ message: 'Invalid authorization' });
-			if (iat && iat < moment(user.passwordEditedAt).format('x')) { return res.status(401).json({ message: 'Token expired' }); }
+			if (iat && iat < moment(user.passwordEditedAt).format('x')) {
+				return res.status(401).json({ message: 'Token expired' });
+			}
 			if (!user.enabled) return res.status(401).json({ message: 'This account has been disabled' });
 			if (this.options.adminOnly && !user.isAdmin) { return res.status(401).json({ message: 'Invalid authorization' }); }