fix(nextjs): Remove organization private metadata from __NEXT_DATA__

This allows for sensitive fields like `organization.privateMetadata` to be available inside the `withServerSideAuth` callback while ensuring that these fields will not get serialized into the client-accessible __NEXT_DATA__ script.

Author: SokratisVidros

packages/nextjs/src/middleware/utils/sanitizeAuthData.ts

@@ -2,7 +2,7 @@ import { AuthData } from '../types';
 
 /**
  *
- * Removes sensitive data from User and Session
+ * Removes sensitive data from User and Organization
  * This allows for sensitive fields like `user.privateMetadata` to be available
  * inside the `withServerSideAuth` callback, while ensuring that these fields
  * will not get serialized into the client-accessible __NEXT_DATA__ script
@@ -15,5 +15,12 @@ export function sanitizeAuthData(authData: AuthData): any {
     // @ts-expect-error;
     delete user['privateMetadata'];
   }
-  return { ...authData, user };
+
+  const organization = authData.organization ? { ...authData.organization } : authData.organization;
+  if (organization) {
+    // @ts-expect-error;
+    delete organization['privateMetadata'];
+  }
+
+  return { ...authData, user, organization };
 }