core: limit sdoc payload

packages/hydrooj/package.json

@@ -1,6 +1,6 @@
 {
     "name": "hydrooj",
-    "version": "3.14.19",
+    "version": "3.14.20",
     "bin": "bin/hydrooj.js",
     "main": "src/loader",
     "module": "src/loader",

packages/hydrooj/src/handler/user.ts

@@ -294,7 +294,7 @@ class UserDetailHandler extends Handler {
         const isSelfProfile = this.user._id === uid;
         const [udoc, sdoc, union] = await Promise.all([
             user.getById(domainId, uid),
-            token.getMostRecentSessionByUid(uid),
+            token.getMostRecentSessionByUid(uid, ['createAt', 'updateAt']),
             domain.getUnion(domainId),
         ]);
         if (!udoc) throw new UserNotFoundError(uid);
@@ -319,12 +319,6 @@ class UserDetailHandler extends Handler {
             }
         }
         const tags = Object.entries(acInfo).sort((a, b) => b[1] - a[1]).slice(0, 20);
-        // Remove sensitive data
-        if (!isSelfProfile && sdoc) {
-            sdoc.createIp = '';
-            sdoc.updateIp = '';
-            sdoc._id = '';
-        }
         this.response.template = 'user_detail.html';
         this.response.body = {
             isSelfProfile, udoc, sdoc, pdocs, tags,

packages/hydrooj/src/model/token.ts

@@ -82,8 +82,11 @@ class TokenModel {
     }
 
     @ArgMethod
-    static async getMostRecentSessionByUid(uid: number) {
+    static async getMostRecentSessionByUid(uid: number, projection: string[]) {
-        return await TokenModel.coll.findOne({ uid, tokenType: TokenModel.TYPE_SESSION }, { sort: { updateAt: -1 } });
+        return await TokenModel.coll.findOne(
+            { uid, tokenType: TokenModel.TYPE_SESSION },
+            { projection: { _id: 0, ...Object.fromEntries(projection.map((i) => [i, 1])) }, sort: { updateAt: -1 } },
+        );
     }
 
     @ArgMethod