Add PII field masking in user search endpoint response to prevent data exposure

[RUKAYAT-CODER]

Overview

src/users/users.controller.ts exposes a search endpoint that returns User entities. If the serialization layer does not strip sensitive fields, PII such as email addresses, phone numbers, and hashed tokens are returned to any authenticated user performing a search, violating the principle of least privilege.

Specifications

Features:

• Search results must only return non-sensitive fields: id, displayName, avatarUrl, role.
• Admin-only search endpoints may return additional fields.

Tasks:

• Create a UserPublicDto containing only safe fields.
• Apply @Exclude() to sensitive fields in the response serialization for the search endpoint.
• Add a dedicated UserAdminDto for admin-scoped search results.
• Add unit tests verifying email is absent from non-admin search results.

Impacted Files:

• src/users/users.controller.ts
• src/users/dto/user-public.dto.ts (new)

Acceptance Criteria

• Non-admin search results do not include email, refreshToken, or passwordHistory.
• Admin search results include additional fields per the UserAdminDto.
• Unit tests verify field absence by role.

[TheBigWealth89]

@TheBigWealth89 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi, maintainer,
can I be assigned this...
can work on it immediately

ℹ️ Repo Maintainers: To accept this application, review their application or assign @TheBigWealth89 to this issue.

[Menjay7]

@Menjay7 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi! I’m a full-stack developer with a strong blockchain background. I’d love to handle this issue and can deliver a clean, reliable solution. Kindly assign it to me.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Menjay7 to this issue.

[Divineifed1]

@Divineifed1 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

hello maintainer, kindly assign me to work on PII field masking in user search endpoint response to prevent data exposure

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Divineifed1 to this issue.

[drips-wave]

Congratulations, @Divineifed1! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @Divineifed1: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊