From 1e7bf4a84bde5bde0d41ea166a99b7ce88605026 Mon Sep 17 00:00:00 2001
From: Shakibul Hasan Siyam <siyamhasan4@gmail.com>
Date: Tue, 21 Apr 2026 15:34:37 +0600
Subject: [PATCH] fix(api/services): strip internal fields from public response

Strip internal fields from public response in service retrieval.Previously /api/services returned the full DB row to unauthenticated clients, leaking wholesale costPrice and upstreamPrice margin data, priceLocked flag, and internal numeric ids.

Both the main enrichment path and the catch fallback now destructure out the sensitive fields before responding.
---
 server/routes.ts | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/server/routes.ts b/server/routes.ts
index 4728e61..63ac088 100644
--- a/server/routes.ts
+++ b/server/routes.ts
@@ -306,17 +306,23 @@ export async function registerRoutes(
       const tellabotMap = new Map(tellabotServices.map((s: any) => [s.name, s]));
       const enriched = dbServices.map(svc => {
         const tb = tellabotMap.get(svc.name);
-        return {
-          ...svc,
-          available: tb ? parseInt(tb.otp_available) : 0,
-          costPrice: tb ? tb.price : null,
-        };
+      // Strip internal fields (costPrice, upstreamPrice, priceLocked, internal id) from public response
+      const { costPrice: _cp, upstreamPrice: _up, priceLocked: _pl, id: _id, ...publicSvc } = svc as any;
+      return {
+        ...publicSvc,
+        available: tb ? parseInt(tb.otp_available) : 0,
+      };
       });
       res.json(enriched);
     } catch (err) {
       // Fallback to DB
       const dbServices = await storage.getAllServices();
-      res.json(dbServices);
+      // Strip internal fields on fallback too
+      const safe = dbServices.map((s: any) => {
+        const { costPrice: _cp, upstreamPrice: _up, priceLocked: _pl, id: _id, ...rest } = s;
+        return rest;
+      });
+      res.json(safe);
     }
   });