From f81da11b844ad648a3742526a7109f983fe5cfe5 Mon Sep 17 00:00:00 2001
From: Douglas Muraoka <douglas.muraoka@gmail.com>
Date: Tue, 6 Aug 2019 21:21:33 -0300
Subject: [PATCH] fix(GraphQL): Remove "password" output field from _User class
 (#5889)

---
 spec/ParseGraphQLServer.spec.js        | 15 +++++++++++++++
 src/GraphQL/loaders/parseClassTypes.js |  6 ++++++
 2 files changed, 21 insertions(+)

diff --git a/spec/ParseGraphQLServer.spec.js b/spec/ParseGraphQLServer.spec.js
index 37ec282e..5d62b658 100644
--- a/spec/ParseGraphQLServer.spec.js
+++ b/spec/ParseGraphQLServer.spec.js
@@ -765,6 +765,21 @@ describe('ParseGraphQLServer', () => {
           })).data['__type'].fields.map(field => field.name);
           expect(userFields.indexOf('foo') !== -1).toBeTruthy();
         });
+
+        it('should not contain password field from _User class', async () => {
+          const userFields = (await apolloClient.query({
+            query: gql`
+              query UserType {
+                __type(name: "_UserClass") {
+                  fields {
+                    name
+                  }
+                }
+              }
+            `,
+          })).data['__type'].fields.map(field => field.name);
+          expect(userFields.includes('password')).toBeFalsy();
+        });
       });
 
       describe('Configuration', function() {
diff --git a/src/GraphQL/loaders/parseClassTypes.js b/src/GraphQL/loaders/parseClassTypes.js
index 013229b3..d32adc84 100644
--- a/src/GraphQL/loaders/parseClassTypes.js
+++ b/src/GraphQL/loaders/parseClassTypes.js
@@ -213,6 +213,12 @@ const getInputFieldsAndConstraints = function(
   } else {
     classOutputFields = classCustomFields;
   }
+  // Filters the "password" field from class _User
+  if (parseClass.className === '_User') {
+    classOutputFields = classOutputFields.filter(
+      outputField => outputField !== 'password'
+    );
+  }
 
   if (allowedConstraintFields) {
     classConstraintFields = classCustomFields.filter(field => {