From 2483e19bee8dabfce23b9d25d68311e6cd0e9850 Mon Sep 17 00:00:00 2001
From: Sabe Jones <sabrecat@gmail.com>
Date: Tue, 3 Sep 2024 18:15:35 -0500
Subject: [PATCH] Fix 500 errors coming from Google scripts (#15237)

* fix issue with userFields options

* remove only

---------

Co-authored-by: Phillip Thelen <phillip@habitica.com>
---
 test/api/v4/user/GET-user.test.js  | 18 ++++++++++++++++++
 website/server/middlewares/auth.js |  4 +++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/test/api/v4/user/GET-user.test.js b/test/api/v4/user/GET-user.test.js
index f17c19e797..0dadbcf34a 100644
--- a/test/api/v4/user/GET-user.test.js
+++ b/test/api/v4/user/GET-user.test.js
@@ -40,6 +40,24 @@ describe('GET /user', () => {
     expect(returnedUser.stats).to.not.exist;
   });
 
+  it('returns when ALWAYS_LOADED paths are requested', async () => {
+    const returnedUser = await user.get('/user?userFields=_id,notifications,preferences,auth,flags,permissions');
+
+    expect(returnedUser._id).to.equal(user._id);
+    expect(returnedUser.notifications).to.exist;
+    expect(returnedUser.preferences).to.exist;
+    expect(returnedUser.auth).to.exist;
+    expect(returnedUser.flags).to.exist;
+    expect(returnedUser.permissions).to.exist;
+  });
+
+  it('returns when subpaths paths are requested', async () => {
+    const returnedUser = await user.get('/user?userFields=auth.local.username');
+
+    expect(returnedUser._id).to.equal(user._id);
+    expect(returnedUser.auth.local.username).to.exist;
+  });
+
   it('does not return requested private properties', async () => {
     const returnedUser = await user.get('/user?userFields=apiToken,secret.text');
 
diff --git a/website/server/middlewares/auth.js b/website/server/middlewares/auth.js
index 55bcf2b147..f5d5614847 100644
--- a/website/server/middlewares/auth.js
+++ b/website/server/middlewares/auth.js
@@ -36,9 +36,11 @@ function getUserFields (options, req) {
   const { userFields } = req.query;
   if (!userFields || urlPath !== '/user') return '';
 
-  const userFieldOptions = userFields.split(',');
+  let userFieldOptions = userFields.split(',');
   if (userFieldOptions.length === 0) return '';
 
+  userFieldOptions = userFieldOptions.filter(field => USER_FIELDS_ALWAYS_LOADED.indexOf(field.split('.')[0]) === -1);
+
   return userFieldOptions.concat(USER_FIELDS_ALWAYS_LOADED).join(' ');
 }