fix: use allow-list for getConnectedApps to prevent data leaking

[jaydeep-pipaliya]

Summary

• Replaces the unsafe deny-list spread pattern in getConnectedApps with an explicit allow-list
• Prevents future internal/sensitive fields from being automatically exposed in the API response
• Resolves the existing TODO comment in the code

What was wrong

The current code uses destructuring to exclude known sensitive fields, then spreads the rest:

({ credentials: _, credential, key: _2, ...app }) => {
  return { ...app, /* computed fields */ };
}

This silently exposes any new fields added to the app metadata or database schema. If a field like internalConfig or secretToken were added, it would immediately leak to the frontend without anyone noticing.

Fix

Replaced with an explicit allow-list that picks only the fields defined in the App interface that are safe for frontend consumption (matching the existing AppFrontendPayload type). Sensitive fields (key, credentials, credential, __template) are now excluded by omission rather than explicit exclusion.

Test plan

• Connected apps page loads correctly with all app info displayed
• App categories, logos, names, and descriptions render properly
• Payment app setup detection still works (credential is extracted separately)
• Team app installations still display correctly
• No key or credentials fields appear in the API response

Fixes #28923

[github-actions]

Welcome to Cal.diy, @jaydeep-pipaliya! Thanks for opening this pull request.

A few things to keep in mind:

• This is Cal.diy, not Cal.com. Cal.diy is a community-driven, fully open-source fork of Cal.com licensed under MIT. Your changes here will be part of Cal.diy — they will not be deployed to the Cal.com production app.
• Please review our Contributing Guidelines if you haven't already.
• Make sure your PR title follows the Conventional Commits format.

A maintainer will review your PR soon. Thanks for contributing!