Fixing userId storage to redis and making sure lockedBy property never stored.

packages/server/src/api/controllers/application.js

@@ -138,6 +138,9 @@ exports.fetch = async function (ctx) {
       const lock = locks.find(lock => lock.appId === app._id)
       if (lock) {
         app.lockedBy = lock.user
+      } else {
+        // make sure its definitely not present
+        delete app.lockedBy
       }
     }
   }
@@ -222,6 +225,12 @@ exports.update = async function (ctx) {
   const data = ctx.request.body
   const newData = { ...application, ...data, url }
 
+  // the locked by property is attached by server but generated from
+  // Redis, shouldn't ever store it
+  if (newData.lockedBy) {
+    delete newData.lockedBy
+  }
+
   const response = await db.put(newData)
   data._rev = response.rev
 

packages/server/src/utilities/redis.js

@@ -32,9 +32,11 @@ exports.getAllLocks = async () => {
 
 exports.updateLock = async (devAppId, user) => {
   // make sure always global user ID
+  const globalId = getGlobalIDFromUserMetadataID(user._id)
   const inputUser = {
     ...user,
-    _id: getGlobalIDFromUserMetadataID(user._id),
+    userId: globalId,
+    _id: globalId,
   }
   await devAppClient.store(devAppId, inputUser, APP_DEV_LOCK_SECONDS)
 }