Strapi v4 sanitizeEntity

Question

I'm trying out the new strapi v4 right now (4.0.0) community edition. I've got a custom controller which queries for the current user and (in the future) fetches related objects.

When I did this with strapi v3 I used the built-in sanititzeEntitiy - helper function to remove sensitive fields from the user instance. In v4 however, this function appears to not exist anymore and I can't figure out how to achieve this.

Is there anyone that can help me with this? My code so far is:

module.exports = {
  currentUser: async(ctx, next) => {
    let user = ctx.state.user;
    // TODO: sanitize this
  }
}

In v3 I just did return sanitizeEntity(user); which would have the desired effect. I just can't figure out how to do this in v4 and I can't find anything related to that in the docs.

Answer 1

So I simultaneously posted this question on the strapi community forums. A user named JustJerem got me an answer to this question which looks like this:

**const { sanitizeEntity } = require("strapi-utils/lib");**

module.exports = (plugin) => {

  plugin.controllers.user.deleteMe = async (ctx) => {
    const entity = await strapi.entityService.delete('plugin::users-permissions.user', user.id)
    var result = **sanitizeEntity(entity, { model: strapi.getModel('plugin::users-permissions.user') })**
    return result
  };
//...
};

The original answer in the strapi forums can be found here:

https://forum.strapi.io/t/v4-0-0-sanitize-user-data/13326/4?u=derelektrischemoench

All credits to this solution go out to JustJerem on the strapi boards. Doing it like this worked for me. Hopefully this can help someone else, too.

Greetings, derelektrischemoench

Answer 2

You need to use the "sanitize" utility from "@strapi/utils".

const { sanitize } = require('@strapi/utils');

module.exports = createCoreController('api::payment.payment', ({ strapi }) => ({
  async create(ctx) {
    const entity = await strapi.entityService.create('api::payment.payment', {
      data: {
        field1: 1,
        field2: 2,
      },
    });
    const sanitizedEntity = await sanitize.contentAPI.output(entity);

    return { data: sanitizedEntity };
  },
}));

Answer 3

In Strapi v4 it looks like it's replaced by sanitizeOutput function. It accepts the entity but looks like it needs context (ctx) to be passed too. It is not described anywhere in the official documentation though.

Answer 4

So some time later, JustJerem, a guy on the strapi community forums came up with a solution to this; firstly you have to install strapi-utils: npm i -D strapi-utils, then in your controller you have to do this:

const { sanitizeEntity } = require('strapi-utils/lib');

currentUser: async (ctx, next) => {
    const {id, isAdmin = false} = await strapi.plugins['users-permissions'].services.jwt.getToken(ctx); 
    const entity = await strapi.entityService.findOne('plugin::users-permissions.user', id); // or get the user differently, in this case I can't take it from context

    let sanitizedEntity = sanitizeEntity(entity, { model: strapi.getModel('plugin::users-permissions.user') });
    return sanitizedEntity;
  }

And that's all there is to it. Here's the link to his original post: https://forum.strapi.io/t/v4-0-0-sanitize-user-data/13326

Answer 5

You can define a sanitizeOutput function and use it (works in strapi 4):

const utils = require("@strapi/utils");
const {sanitize} = utils;

const sanitizeOutput = (data, ctx) => {
   const schema = strapi.getModel('plugin::xxx.yyy');
   const {auth} = ctx.state;
   return sanitize.contentAPI.output(data, schema, {auth});
};

module.exports = {

     async find(ctx) {
       let entities = ... //retrieve entities
       //call the function
       ctx.body = await sanitizeOutput(entities, ctx);

     },
};