From fcd350d5d36c2b8ef732cee93d11b0ccc25bd57b Mon Sep 17 00:00:00 2001
From: Stefanos Anagnostou <anagstef@users.noreply.github.com>
Date: Wed, 22 Feb 2023 05:49:51 +0200
Subject: [PATCH] fix(clerk): Remove privateMetadata property from
 getCurrentUser (#7668)

The privateMetadata property should not be accessible on the client side. This commit removes this property from the getCurrentUser function returned user object.

Co-authored-by: Stefanos Anagnostou <stefanos@clerk.dev>
---
 .../clerk/setup/src/templates/api/lib/auth.ts.template     | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/packages/auth-providers/clerk/setup/src/templates/api/lib/auth.ts.template b/packages/auth-providers/clerk/setup/src/templates/api/lib/auth.ts.template
index 488fe1323898..92f1ee761481 100644
--- a/packages/auth-providers/clerk/setup/src/templates/api/lib/auth.ts.template
+++ b/packages/auth-providers/clerk/setup/src/templates/api/lib/auth.ts.template
@@ -29,11 +29,14 @@ export const getCurrentUser = async (
 
   const { roles } = parseJWT({ decoded })
 
+  // Remove privateMetadata property from CurrentUser as it should not be accessible on the web
+  const { privateMetadata, ...userWithoutPrivateMetadata } = decoded
+
   if (roles) {
-    return { ...decoded, roles }
+    return { ...userWithoutPrivateMetadata, roles }
   }
 
-  return { ...decoded }
+  return { ...userWithoutPrivateMetadata }
 }
 
 /**