fix: Don't allow serialization of firestore settings (#1742)

abhishekwebcode · ehsannas · web-flow · commit fa0ad66bc7e4 · 2022-08-08T09:47:21.000-05:00
* Dont allow serialization of firestore settings

When logging any firestore object like WriteBatch,Transaction,etc the settings object also gets logged / exposed
This can be seen by running JSON.stringify on any firestore object even a document reference
Many developers log firestore objects to help them debug testing/prod issues, this leaking of entire firestore key via this._settings is a bad practice as per me
We can also use Object.defineProperty to make it non-enumerable or any other technique that you like

* Fix formatting.

* Only redact credentials.

Co-authored-by: Ehsan Nasiri &lt;ehsannas@gmail.com&gt;
diff --git a/dev/src/index.ts b/dev/src/index.ts
@@ -652,6 +652,13 @@ export class Firestore implements firestore.Firestore {
     }
 
     this._settings = settings;
+    this._settings.toJson = function () {
+      const temp = Object.assign({}, this);
+      if (temp.credentials) {
+        temp.credentials = {private_key: '***', client_email: '***'};
+      }
+      return temp;
+    };
     this._serializer = new Serializer(this);
   }
 

Original file line number	Diff line number	Diff line change
`@@ -652,6 +652,13 @@ export class Firestore implements firestore.Firestore {`
`652`	`652`	`}`
`653`	`653`
`654`	`654`	`this._settings = settings;`
	`655`	`+ this._settings.toJson = function () {`
	`656`	`+ const temp = Object.assign({}, this);`
	`657`	`+ if (temp.credentials) {`
	`658`	`+ temp.credentials = {private_key: '*', client_email: '*'};`
	`659`	`+ }`
	`660`	`+ return temp;`
	`661`	`+ };`
`655`	`662`	`this._serializer = new Serializer(this);`
`656`	`663`	`}`
`657`	`664`