From ed0d3395c71790238994d90e1d2bc15d9433c333 Mon Sep 17 00:00:00 2001
From: Sasha <64744993+r1tsuu@users.noreply.github.com>
Date: Sun, 22 Dec 2024 09:37:32 +0200
Subject: [PATCH] test: ensure data strictness (#10123)

Ensures we don't save and read additional properties to the database
with both, Local API and `payload.db`.
---
 test/database/int.spec.ts | 51 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/test/database/int.spec.ts b/test/database/int.spec.ts
index 806e8e1469..1cafbc8fd0 100644
--- a/test/database/int.spec.ts
+++ b/test/database/int.spec.ts
@@ -242,6 +242,57 @@ describe('database', () => {
     })
   })
 
+  describe('Data strictness', () => {
+    it('should not save and leak password, confirm-password from Local API', async () => {
+      const createdUser = await payload.create({
+        collection: 'users',
+        data: {
+          password: 'some-password',
+          // @ts-expect-error
+          'confirm-password': 'some-password',
+          email: 'user1@payloadcms.com',
+        },
+      })
+
+      let keys = Object.keys(createdUser)
+
+      expect(keys).not.toContain('password')
+      expect(keys).not.toContain('confirm-password')
+
+      const foundUser = await payload.findByID({ id: createdUser.id, collection: 'users' })
+
+      keys = Object.keys(foundUser)
+
+      expect(keys).not.toContain('password')
+      expect(keys).not.toContain('confirm-password')
+    })
+
+    it('should not save and leak password, confirm-password from payload.db', async () => {
+      const createdUser = await payload.db.create({
+        collection: 'users',
+        data: {
+          password: 'some-password',
+          'confirm-password': 'some-password',
+          email: 'user2@payloadcms.com',
+        },
+      })
+
+      let keys = Object.keys(createdUser)
+
+      expect(keys).not.toContain('password')
+      expect(keys).not.toContain('confirm-password')
+
+      const foundUser = await payload.db.findOne({
+        collection: 'users',
+        where: { id: createdUser.id },
+      })
+
+      keys = Object.keys(foundUser)
+      expect(keys).not.toContain('password')
+      expect(keys).not.toContain('confirm-password')
+    })
+  })
+
   describe('migrations', () => {
     let ranFreshTest = false