Add request schemas for project endpoints

[rmn-snpk]

Fixes OPS-3115.

Simply added schemas to remove the token from the response

[linear]

OPS-3115 tablesDatabaseToken should be filtered out from API response

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/exclude-tables-token-from-api

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR adds request schemas to project endpoints to exclude the tablesDatabaseToken field from API responses for security purposes.

Key Changes:

• Added response schemas to GET endpoints that omit the tablesDatabaseToken field from project objects
• Restructured imports to include Type, Project, and SeekPage from shared packages

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Overview

Greptile Summary

Added response schemas to user project endpoints to exclude the sensitive tablesDatabaseToken field from API responses.

Changes:

• Imported Type utility and Project, SeekPage types from @openops/shared
• Created ProjectWithoutToken schema using Type.Omit to exclude tablesDatabaseToken
• Applied response schemas to both GET /:id and GET / endpoints

Note: The project-worker-controller.ts endpoint may need similar protection if it returns project data to external consumers.

Confidence Score: 4/5

• This PR is safe to merge with a security improvement that prevents token exposure
• Score reflects a solid security fix that properly redacts sensitive database tokens from API responses. Implementation uses TypeBox's Type.Omit correctly. Minor concern: the worker controller endpoint may need similar protection, which should be verified separately.
• No files require special attention, though verify project-worker-controller.ts doesn't expose tokens

Important Files Changed

File Analysis

Filename	Score	Overview
packages/server/api/src/app/project/project-controller.ts	4/5	Added response schemas to exclude sensitive tablesDatabaseToken from API responses; worker controller may need similar fix

Sequence Diagram

sequenceDiagram
    participant Client
    participant API as Project Controller
    participant Service as Project Service
    participant DB as Database

    Note over Client,DB: GET /:id - Fetch Single Project
    Client->>API: GET /v1/users/projects/:id
    API->>Service: projectService.getOneOrThrow(projectId)
    Service->>DB: Query project with tablesDatabaseToken
    DB-->>Service: Full Project (including token)
    Service-->>API: Full Project Object
    Note over API: Response Schema Applied:<br/>ProjectWithoutToken removes<br/>tablesDatabaseToken field
    API-->>Client: Project (without tablesDatabaseToken)

    Note over Client,DB: GET / - List Projects
    Client->>API: GET /v1/users/projects/
    API->>Service: projectService.getOneOrThrow(projectId)
    Service->>DB: Query project with tablesDatabaseToken
    DB-->>Service: Full Project (including token)
    Service-->>API: Full Project Object
    Note over API: Response Schema Applied:<br/>SeekPage(ProjectWithoutToken)<br/>removes tablesDatabaseToken
    API-->>Client: Paginated Projects (without tokens)

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}