From e2db47f3589eb2d15ac1351b9830f766289be747 Mon Sep 17 00:00:00 2001
From: Chris Brame <polonel@gmail.com>
Date: Mon, 16 May 2022 18:09:37 -0400
Subject: [PATCH] fix(api): v1 security fix

---
 src/controllers/api/v1/messages.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/controllers/api/v1/messages.js b/src/controllers/api/v1/messages.js
index 5571e83ba..b754d4a75 100644
--- a/src/controllers/api/v1/messages.js
+++ b/src/controllers/api/v1/messages.js
@@ -308,7 +308,18 @@ apiMessages.deleteConversation = function (req, res) {
     convo.save(function (err, sConvo) {
       if (err) return res.status(400).json({ success: false, error: err.message })
 
-      return res.json({ success: true, conversation: sConvo })
+      const cleanConvo = sConvo.toObject()
+      cleanConvo.participants.forEach(function (p) {
+        delete p._id
+        delete p.id
+        delete p.role
+      })
+
+      cleanConvo.userMeta.forEach(function (meta) {
+        delete meta.userId
+      })
+
+      return res.json({ success: true, conversation: cleanConvo })
     })
   })
 }