Remove JSON::Serializable from models

Ensures we are not sending sensitive data (eg: password digests) to redis.
GrottoPress · Jul 11, 2024 · b708a85 · b708a85
1 parent b993f03
commit b708a85
Show file tree

Hide file tree

Showing 8 changed files with 145 additions and 55 deletions.
diff --git a/config/charms.cr b/config/charms.cr
diff --git a/src/app.cr b/src/app.cr
@@ -11,7 +11,6 @@ require "defense"
 require "fella"
 
 require "./app_settings"
-require "../config/charms"
 require "./app_database"
 require "./models/mixins/**"
 require "./models/base_model"

diff --git a/src/emails/bearer_login_notification_email.cr b/src/emails/bearer_login_notification_email.cr
@@ -1,11 +1,37 @@
 class BearerLoginNotificationEmail < BaseEmail
-  def initialize(operation : CreateBearerLogin, @bearer_login : BearerLogin)
+  @bearer_login : {
+    active_at: Time,
+    name: String,
+    user: {
+      email: String,
+      first_name: String,
+      full_name: String,
+      last_name: String,
+    }
+  }
+
+  def initialize(operation : CreateBearerLogin, bearer_login : BearerLogin)
+    user = bearer_login.user
+
+    @bearer_login = {
+      active_at: bearer_login.active_at,
+      name: bearer_login.name,
+      user: {
+        email: user.email,
+        first_name: user.first_name,
+        full_name: user.full_name,
+        last_name: user.last_name
+      }
+    }
   end
 
   reply_to App.settings.email_reply_to
 
   private def receiver
-    @bearer_login.user
+    Carbon::Address.new(
+      @bearer_login[:user][:full_name],
+      @bearer_login[:user][:email]
+    )
   end
 
   private def heading
@@ -16,16 +42,14 @@ class BearerLoginNotificationEmail < BaseEmail
   end
 
   private def text_message : String
-    user = @bearer_login.user
-
     Rex.t(
       :"email.bearer_login_notification.body",
       app_name: App.settings.name,
-      first_name: user.first_name,
-      last_name: user.last_name,
-      full_name: user.full_name,
-      active_time: Rex.l(@bearer_login.active_at, :long),
-      bearer_login_name: @bearer_login.name
+      first_name: @bearer_login[:user][:first_name],
+      last_name: @bearer_login[:user][:last_name],
+      full_name: @bearer_login[:user][:full_name],
+      active_time: Rex.l(@bearer_login[:active_at], :long),
+      bearer_login_name: @bearer_login[:name]
     )
   end
 end
diff --git a/src/emails/email_confirmation_request_email.cr b/src/emails/email_confirmation_request_email.cr
@@ -1,15 +1,25 @@
 class EmailConfirmationRequestEmail < BaseEmail
+  @email_confirmation : {
+    email: String,
+    id: EmailConfirmation::PrimaryKeyType,
+  }
+
   @token : String
 
   def initialize(
     operation : StartEmailConfirmation,
-    @email_confirmation : EmailConfirmation
+    email_confirmation : EmailConfirmation
   )
+    @email_confirmation = {
+      email: email_confirmation.email,
+      id: email_confirmation.id
+    }
+
     @token = operation.token
   end
 
   private def receiver
-    Carbon::Address.new(@email_confirmation.email)
+    Carbon::Address.new(@email_confirmation[:email])
   end
 
   private def heading
@@ -23,10 +33,10 @@ class EmailConfirmationRequestEmail < BaseEmail
     Rex.t(
       :"email.email_confirmation_request.body",
       app_name: App.settings.name,
-      link: EmailConfirmationCredentials.new(
+      link: EmailConfirmationCredentials.url(
         @token,
-        @email_confirmation.id
-      ).url,
+        @email_confirmation[:id]
+      ),
       link_expiry: Shield.settings.email_confirmation_expiry.total_minutes.to_i,
     )
   end

diff --git a/src/emails/login_notification_email.cr b/src/emails/login_notification_email.cr
@@ -1,28 +1,49 @@
 class LoginNotificationEmail < BaseEmail
-  def initialize(operation : StartCurrentLogin, @login : Login)
+  @login : {
+    active_at: Time,
+    ip_address: String,
+    user: {
+      email: String,
+      first_name: String,
+      full_name: String,
+      last_name: String
+    }
+  }
+
+  def initialize(operation : StartCurrentLogin, login : Login)
+    user = login.user
+
+    @login = {
+      active_at: login.active_at,
+      ip_address: login.ip_address,
+      user: {
+        email: user.email,
+        first_name: user.first_name,
+        full_name: user.full_name,
+        last_name: user.last_name
+      }
+    }
   end
 
   reply_to App.settings.email_reply_to
 
   private def receiver
-    @login.user
+    Carbon::Address.new(@login[:user][:full_name], @login[:user][:email])
   end
 
   private def heading
     Rex.t(:"email.login_notification.subject", app_name: App.settings.name)
   end
 
   private def text_message : String
-    user = @login.user
-
     Rex.t(
       :"email.login_notification.body",
       app_name: App.settings.name,
-      first_name: user.first_name,
-      last_name: user.last_name,
-      full_name: user.full_name,
-      login_time: Rex.l(@login.active_at, :long),
-      ip_address: @login.ip_address
+      first_name: @login[:user][:first_name],
+      last_name: @login[:user][:last_name],
+      full_name: @login[:user][:full_name],
+      login_time: Rex.l(@login[:active_at], :long),
+      ip_address: @login[:ip_address]
     )
   end
 end
diff --git a/src/emails/password_change_notification_email.cr b/src/emails/password_change_notification_email.cr
@@ -1,11 +1,24 @@
 class PasswordChangeNotificationEmail < BaseEmail
-  def initialize(operation : User::SaveOperation, @user : User)
+  @user : {
+    email: String,
+    first_name: String,
+    full_name: String,
+    last_name: String
+  }
+
+  def initialize(operation : User::SaveOperation, user : User)
+    @user = {
+      email: user.email,
+      first_name: user.first_name,
+      full_name: user.full_name,
+      last_name: user.last_name
+    }
   end
 
   reply_to App.settings.email_reply_to
 
   private def receiver
-    @user
+    Carbon::Address.new(@user[:full_name], @user[:email])
   end
 
   private def heading
@@ -19,9 +32,9 @@ class PasswordChangeNotificationEmail < BaseEmail
     Rex.t(
       :"email.password_change_notification.body",
       app_name: App.settings.name,
-      first_name: @user.first_name,
-      last_name: @user.last_name,
-      full_name: @user.full_name
+      first_name: @user[:first_name],
+      last_name: @user[:last_name],
+      full_name: @user[:full_name]
     )
   end
 end
diff --git a/src/emails/password_reset_request_email.cr b/src/emails/password_reset_request_email.cr
@@ -1,31 +1,51 @@
 class PasswordResetRequestEmail < BaseEmail
+  @password_reset : {
+    id: PasswordReset::PrimaryKeyType,
+    user: {
+      email: String,
+      first_name: String,
+      full_name: String,
+      last_name: String
+    }
+  }
+
   @token : String
 
-  def initialize(
-    operation : StartPasswordReset,
-    @password_reset : PasswordReset
-  )
+  def initialize(operation : StartPasswordReset, password_reset : PasswordReset)
+    user = password_reset.user
+
+    @password_reset = {
+      id: password_reset.id,
+      user: {
+        email: user.email,
+        first_name: user.first_name,
+        full_name: user.full_name,
+        last_name: user.last_name
+      }
+    }
+
     @token = operation.token
   end
 
   private def receiver
-    @password_reset.user
+    Carbon::Address.new(
+      @password_reset[:user][:full_name],
+      @password_reset[:user][:email]
+    )
   end
 
   private def heading
     Rex.t(:"email.password_reset_request.subject", app_name: App.settings.name)
   end
 
   private def text_message : String
-    user = @password_reset.user
-
     Rex.t(
       :"email.password_reset_request.body",
       app_name: App.settings.name,
-      first_name: user.first_name,
-      last_name: user.last_name,
-      full_name: user.full_name,
-      link: PasswordResetCredentials.new(@token, @password_reset.id).url,
+      first_name: @password_reset[:user][:first_name],
+      last_name: @password_reset[:user][:last_name],
+      full_name: @password_reset[:user][:full_name],
+      link: PasswordResetCredentials.url(@token, @password_reset[:id]),
       link_expiry: Shield.settings.password_reset_expiry.total_minutes.to_i
     )
   end

diff --git a/src/emails/welcome_email.cr b/src/emails/welcome_email.cr
@@ -1,11 +1,24 @@
 class WelcomeEmail < BaseEmail
-  def initialize(operation : RegisterCurrentUser, @user : User)
+  @user : {
+    email: String,
+    first_name: String,
+    full_name: String,
+    last_name: String
+  }
+
+  def initialize(operation : RegisterCurrentUser, user : User)
+    @user = {
+      email: user.email,
+      first_name: user.first_name,
+      full_name: user.full_name,
+      last_name: user.last_name
+    }
   end
 
   reply_to App.settings.email_reply_to
 
   private def receiver
-    @user
+    Carbon::Address.new(@user[:full_name], @user[:email])
   end
 
   private def heading
@@ -16,9 +29,9 @@ class WelcomeEmail < BaseEmail
     Rex.t(
       :"email.welcome.subject",
       app_name: App.settings.name,
-      first_name: @user.first_name,
-      last_name: @user.last_name,
-      full_name: @user.full_name,
+      first_name: @user[:first_name],
+      last_name: @user[:last_name],
+      full_name: @user[:full_name],
       login_url: CurrentLogin::New.url
     )
   end