app/models/concerns/sensitive_serializable_hash.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

# frozen_string_literal: true

module SensitiveSerializableHash
  extend ActiveSupport::Concern

  included do
    class_attribute :attributes_exempt_from_serializable_hash, default: []
  end

  class_methods do
    def prevent_from_serialization(*keys)
      self.attributes_exempt_from_serializable_hash ||= []
      self.attributes_exempt_from_serializable_hash += keys
    end
  end

  # Override serializable_hash to exclude sensitive attributes by default
  #
  # In general, prefer NOT to use serializable_hash / to_json / as_json in favor
  # of serializers / entities instead which has an allowlist of attributes
  def serializable_hash(options = nil)
    options = options.try(:dup) || {}
    options[:except] = Array(options[:except]).dup

    options[:except].concat self.class.attributes_exempt_from_serializable_hash

    if self.class.respond_to?(:encrypted_attributes)
      options[:except].concat self.class.encrypted_attributes.keys

      # Per https://github.com/attr-encrypted/attr_encrypted/blob/a96693e9a2a25f4f910bf915e29b0f364f277032/lib/attr_encrypted.rb#L413
      options[:except].concat self.class.encrypted_attributes.values.map { |v| v[:attribute] }
      options[:except].concat self.class.encrypted_attributes.values.map { |v| "#{v[:attribute]}_iv" }
    end

    super(options)
  end
end