prevent some keys from being accidentally exposed

Gemfile

@@ -25,7 +25,7 @@ gem 'bootswatch-rails'
 gem 'sweetalert-rails'
 gem 'will_paginate'
 gem 'will_paginate-bootstrap'
-gem 'devise'
+gem 'devise', '~> 3.4.1'
 gem 'devise-i18n'
 gem 'devise-async'
 gem 'bootstrap_form'

app/models/user.rb

@@ -70,6 +70,13 @@ class User < ActiveRecord::Base
                    end unless website.blank?
   end
 
+  BLACKLIST_FOR_SERIALIZATION = [
+    :email, :profile_picture_content_type, :profile_picture_file_size,
+    :profile_header_content_type, :profile_header_file_size, :encrypted_password,
+    :confirmation_token, :unconfirmed_email, :current_sign_in_ip, :last_sign_in_ip,
+    :reset_password_token, :unlock_token
+  ].freeze
+
   # when a user deleted himself, all reports relating to the user are invalid
   before_destroy do
     rep = Report.where(target_id: self.id, type: 'Reports::User')
@@ -89,6 +96,19 @@ class User < ActiveRecord::Base
     end
   end
 
+  def serializable_hash(options)
+    options ||= {}
+    options[:except] = Array(options[:except])
+
+    if options[:force_except]
+      options[:except].concat Array(options[:force_except])
+    else
+      options[:except].concat BLACKLIST_FOR_SERIALIZATION
+    end
+
+    super(options)
+  end
+
   def login=(login)
     @login = login
   end

docs/api

@@ -1 +1 @@
-Subproject commit 789efd8f8d5037dc15b2b62f6e634ff8f5c5e1ad
+Subproject commit 037ee97f58e48c1b3d6cafded8f56a4a26890b79