Fix Mass Assignments in Leads Endpoint

[christopherholland-workday]

Overview

The endpoint uses Object.assign() to copy all properties from the request body to the Lead entity without any input validation or field filtering. This allows attackers to bypass auto-generated fields and inject arbitrary values.

This PR allows only the fields that are user controlled to be user controlled ('chatflowid', 'name', 'email', 'phone').

Testing

Ran the same curl requests that exposed the issue and ensured that the fields like id and createdDate were generated by the code and not overridden by the request.

Example 1: id

Request:

curl -X POST http://localhost:3000/api/v1/leads \
-H "Content-Type: application/json" \
-d '{ "chatflowid": "attacker-chatflow-456", "name": "Attacker", "email": "attacker@evil.com", "phone": "555-EVIL", "id": "nah-nah-nah" }'

Result (id was not taken from request):                         
{"name":"Attacker","email":"attacker@evil.com","phone":"555-EVIL","chatflowid":"attacker-chatflow-456","chatId":"865b3723-3486-4605-9c76-ebd6b16a96d8","id":"bb39625f-d9a6-49de-888c-c0f2f0ded6db","createdDate":"2026-01-22T23:32:03.000Z"}% 

Example 2: createdDate

Request:

curl -X POST http://localhost:3000/api/v1/leads \
-H "Content-Type: application/json" \
-d '{ "chatflowid": "timestamp-test-789", "name": "Time Traveler", "email": "timetraveler@evil.com", "createdDate": "1970-01-01T00:00:00.000Z" }'

Result (createdDate was not taken from request)
{"name":"Time Traveler","email":"timetraveler@evil.com","chatflowid":"timestamp-test-789","chatId":"5c9a31e1-19e4-4887-b122-2f3bc6b01d26","id":"c0c97fd6-0eea-4f9d-b387-ff9b9cbc0df9","createdDate":"2026-01-22T23:38:02.000Z"}

Previously, the id and createdDate value would've been taken from the requests