From fb999e6a74d04ec51333ed0de065c99fb5daf729 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nuno=20G=C3=B3is?= <github@nunogois.com>
Date: Wed, 3 May 2023 10:46:33 +0100
Subject: [PATCH] fix: anonymize email in event payload (#3672)

Context:
https://unleash-internal.slack.com/archives/C048ELND3QD/p1683097636083299

We should also anonymize email fields in `data` and `preData` of event
objects when `anonymiseEventLog` is enabled.


![image](https://user-images.githubusercontent.com/14320932/235862643-b59a3f8d-9bc6-4b22-816b-9bc7a0577bfc.png)
---
 src/lib/routes/admin-api/event.ts       | 14 ++++++++++
 src/lib/routes/admin-api/events.test.ts | 35 ++++++++++++++++++++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/src/lib/routes/admin-api/event.ts b/src/lib/routes/admin-api/event.ts
index 76d5413f15..fd6ee27a94 100644
--- a/src/lib/routes/admin-api/event.ts
+++ b/src/lib/routes/admin-api/event.ts
@@ -111,6 +111,20 @@ export default class EventController extends Controller {
             return events.map((e: IEvent) => ({
                 ...e,
                 createdBy: anonymise(e.createdBy),
+                data:
+                    e.data && 'email' in e.data
+                        ? {
+                              ...e.data,
+                              email: anonymise(e.data.email),
+                          }
+                        : e.data,
+                preData:
+                    e.preData && 'email' in e.preData
+                        ? {
+                              ...e.preData,
+                              email: anonymise(e.preData.email),
+                          }
+                        : e.preData,
             }));
         }
         return events;
diff --git a/src/lib/routes/admin-api/events.test.ts b/src/lib/routes/admin-api/events.test.ts
index 526cda2589..7bf10d7a6b 100644
--- a/src/lib/routes/admin-api/events.test.ts
+++ b/src/lib/routes/admin-api/events.test.ts
@@ -5,7 +5,11 @@ import { createTestConfig } from '../../../test/config/test-config';
 import createStores from '../../../test/fixtures/store';
 
 import getApp from '../../app';
-import { FeatureCreatedEvent } from '../../types/events';
+import {
+    FeatureCreatedEvent,
+    ProjectUserAddedEvent,
+    ProjectUserRemovedEvent,
+} from '../../types/events';
 
 async function getSetup(anonymise: boolean = false) {
     const base = `/random${Math.round(Math.random() * 1000)}`;
@@ -71,3 +75,32 @@ test('should anonymise events list via admin', async () => {
     expect(body.events.length).toBe(1);
     expect(body.events[0].createdBy).toBe('676212ff7@unleash.run');
 });
+
+test('should also anonymise email fields in data and preData properties', async () => {
+    const email1 = 'test1@email.com';
+    const email2 = 'test2@email.com';
+
+    const { request, base, eventStore } = await getSetup(true);
+    eventStore.store(
+        new ProjectUserAddedEvent({
+            createdBy: 'some@email.com',
+            data: { name: 'test', project: 'default', email: email1 },
+            project: 'default',
+        }),
+    );
+    eventStore.store(
+        new ProjectUserRemovedEvent({
+            createdBy: 'some@email.com',
+            preData: { name: 'test', project: 'default', email: email2 },
+            project: 'default',
+        }),
+    );
+    const { body } = await request
+        .get(`${base}/api/admin/events`)
+        .expect('Content-Type', /json/)
+        .expect(200);
+
+    expect(body.events.length).toBe(2);
+    expect(body.events[0].data.email).not.toBe(email1);
+    expect(body.events[1].preData.email).not.toBe(email2);
+});