Remove hidden properties from aggregate responses

[montymxb]

Noticed that the newly added aggregate endpoint leaks hidden properties. This could be particularly problematic if this endpoint is used with the _User class, where particularly sensitive information is leaked.

This utilizes the same screening function that's used in the UsersRouter (removeHiddenProperties) to remove any hidden properties as the last step before the response is sent. That feels like it should be factored out into a separate utils file, but the priority is in making sure this issue is addressed first.

We'll want this (or an equivalent solution) in place before we create any releases containing the aggregate code.

[codecov]

Codecov Report

Merging #4351 into master will decrease coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #4351      +/-   ##
==========================================
- Coverage   92.74%   92.73%   -0.02%     
==========================================
  Files         119      119              
  Lines        8438     8448      +10     
==========================================
+ Hits         7826     7834       +8     
- Misses        612      614       +2

Impacted Files	Coverage Δ
src/Controllers/DatabaseController.js	94.84% <100%> (ø)	⬆️
...dapters/Storage/Postgres/PostgresStorageAdapter.js	96.76% <100%> (+0.01%)	⬆️
src/Adapters/Storage/Mongo/MongoStorageAdapter.js	95.17% <100%> (+0.04%)	⬆️
src/Routers/AggregateRouter.js	100% <100%> (ø)	⬆️
src/RestWrite.js	93.14% <0%> (-0.55%)	⬇️
src/Adapters/Storage/Mongo/MongoTransform.js	85.5% <0%> (+0.16%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 37ceae0...85d94c5. Read the comment docs.

[flovilmart]

can we check that result.updatedAt and result.createdAt are set, as well as ACL?

[dplewis]

I don't think they are set. Should they be set?

[flovilmart]

We should transform transform the results to the proper parse format otherwise the clients ain't gonna like it .

[montymxb]

@flovilmart , all 3 of those are actually returned, but in their direct mongodb forms under their original keys _acl, _created_at and _updated_at. Now that I think of it there should be a transform function somewhere in the mongodb transform or adapter that would move them to the expected keys. I'll look for that and add it into the PR here.

[montymxb]

@flovilmart changes have been made. Just utilized the standard transforms for results returned in both mongodb's & postgres's adapters.

[flovilmart]

Looking good!