From 03cd476f3ce443859bfc4fab0b42022f5f91926d Mon Sep 17 00:00:00 2001
From: Wilco Louwerse <wilco@conduction.nl>
Date: Fri, 28 Jun 2024 14:10:14 +0200
Subject: [PATCH] Let's not show api-keys in the login api-call response

---
 api/src/Controller/UserController.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/api/src/Controller/UserController.php b/api/src/Controller/UserController.php
index cdc9ba715..88d8eaaf8 100644
--- a/api/src/Controller/UserController.php
+++ b/api/src/Controller/UserController.php
@@ -275,14 +275,17 @@ private function cleanupLoginResponse(array $userArray): array
         if (isset($userArray['organization']['users']) === true) {
             unset($userArray['organization']['users']);
         }
+
         if (isset($userArray['organization']['applications']) === true) {
             foreach ($userArray['organization']['applications'] as &$application) {
-                unset($application['organization']);
+                unset($application['secret'], $application['organization']);
             }
         }
+
         foreach ($userArray['applications'] as &$application) {
-            unset($application['organization']);
+            unset($application['secret'], $application['organization']);
         }
+
         foreach ($userArray['securityGroups'] as &$securityGroup) {
             unset($securityGroup['users']);
             unset($securityGroup['parent']);