Don't return actorId from /v1/sessions/restore (#1480)

matthew-white · web-flow · commit 4ea612178d7e · 2025-05-13T00:46:55.000-04:00
diff --git a/lib/resources/sessions.js b/lib/resources/sessions.js
@@ -9,12 +9,12 @@
 
 const { verifyPassword } = require('../util/crypto');
 const Problem = require('../util/problem');
-const { isBlank, noargs, omit } = require('../util/util');
+const { isBlank, noargs } = require('../util/util');
 const { getOrReject, rejectIf } = require('../util/promise');
 const { success } = require('../util/http');
 const { SESSION_COOKIE, createUserSession } = require('../http/sessions');
 const oidc = require('../util/oidc');
-const { partial } = require('ramda');
+const { pick } = require('ramda');
 
 module.exports = (service, endpoint, anonymousEndpoint) => {
 
@@ -44,7 +44,7 @@ module.exports = (service, endpoint, anonymousEndpoint) => {
 
   service.get('/sessions/restore', endpoint((_, { auth }) =>
     auth.session
-      .map(partial(omit, [['token', 'csrf']]))
+      .map(pick(['createdAt', 'expiresAt']))
       .orElse(Problem.user.notFound())));
 
   const logOut = (Sessions, auth, session) =>
diff --git a/test/assertions.js b/test/assertions.js
@@ -143,10 +143,11 @@ should.Assertion.add('ExtendedSubmissionDef', function() {
 should.Assertion.add('Session', function() {
   this.params = { operator: 'to be a Session' };
 
-  Object.keys(this.obj).should.containDeep([ 'expiresAt', 'createdAt', 'token' ]);
+  Object.keys(this.obj).should.eqlInAnyOrder([ 'expiresAt', 'createdAt', 'token', 'csrf' ]);
   this.obj.expiresAt.should.be.an.isoDate();
   this.obj.createdAt.should.be.an.isoDate();
   this.obj.token.should.be.a.token();
+  this.obj.csrf.should.be.a.token();
 });
 
 should.Assertion.add('FieldKey', function() {
diff --git a/test/integration/api/sessions.js b/test/integration/api/sessions.js
@@ -171,6 +171,7 @@ describe('api: /sessions', () => {
           .set('Cookie', 'session=' + token)
           .expect(200)
           .then((restore) => {
+            Object.keys(restore.body).should.eqlInAnyOrder(['createdAt', 'expiresAt']);
             restore.body.expiresAt.should.be.an.isoDate();
             restore.body.createdAt.should.be.an.isoDate();
             should(restore.body.token).be.undefined();
