fix(predicate): adds exclusive method to get user notification data#498
fix(predicate): adds exclusive method to get user notification data#498pedroanastacio wants to merge 3 commits intostagingfrom
Conversation
| for (const key of Object.keys(element.owner)) { | ||
| assert.deepStrictEqual(member[key], element.owner[key]); | ||
| } | ||
| assert.deepStrictEqual(element.owner, member); |
There was a problem hiding this comment.
🔴 CRITICAL: Test assertion will fail due to removed fields
Problem: The test expects element.owner to match member exactly, but member now excludes email and notify fields that were removed from the predicate endpoint. This will cause a deep equality assertion failure.
Suggestion: Update the assertion to only compare the fields that are actually returned by the endpoint, or create a filtered comparison object excluding the removed fields.
There was a problem hiding this comment.
The email and notify properties are not returned to the owner of the predicate, so there is no error in the test caused by removing the properties from the return of the findById method, since the members do not have them either.
| } | ||
| } | ||
|
|
||
| async getNotificationInfo(ids: string[]): Promise<INotificationInfo[]> { |
There was a problem hiding this comment.
🟡 IMPORTANT: Method lacks proper documentation
Problem: The new getNotificationInfo method is missing JSDoc documentation explaining its purpose, parameters, and return value. This is especially important since it's handling sensitive user data.
Suggestion: Add JSDoc documentation:
/**
* Retrieves notification preferences and email for specified users
* Used internally for sending notifications without exposing sensitive data
* @param ids - Array of user IDs to fetch notification info for
* @returns Promise<INotificationInfo[]> - User notification data (id, name, notify, email)
*/
| const vault = await new PredicateService().findById(vaultId); | ||
| async vaultCreate({ | ||
| vaultId, | ||
| vaultName, |
There was a problem hiding this comment.
🔵 SUGGESTION: Early return condition could be more explicit
Problem: The early return for empty array is good, but the condition could be more descriptive for maintainability.
Suggestion: Consider adding a comment or making the condition more explicit:
if (membersToNotify.length === 0) {
logger.debug('[VAULT_CREATE] No members to notify, skipping notifications');
return;
}
guimroque
left a comment
guimroque
left a comment
There was a problem hiding this comment.
Code Review
Summary
This PR successfully addresses a security vulnerability by preventing exposure of user email addresses in the predicate endpoint. The refactoring moves notification logic to a dedicated service and introduces a new method to safely retrieve user notification data.
Strengths
- Excellent security fix removing email exposure from public endpoint
- Clean separation of concerns moving notification logic to NotificationService
- Proper error handling with structured logging
- Good use of parallel processing for notifications and emails
Issues
- 1 critical, 1 important, 1 suggestion
3 participants
Description
The endpoint
GET - /predicate/:predicateIdwas returning more information than it should have, in this case the user's email address. To obtain notification information about a user, an internal method must be created in the API so as not to expose critical information.}Summary
getNotificationInfomethod to obtain user notification information.GET - /predicate/:predicateId.Checklist