felixfoertsch/netfelix-audio-fix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

settings: mask API keys in GET /api/settings, add eye-icon reveal

Browse Source 
GET /api/settings now returns jellyfin_api_key, radarr_api_key,
sonarr_api_key, mqtt_password as "***" when set (empty string when
unset). Real values only reach the client via an explicit
GET /api/settings/reveal?key=<key> call, wired to an eye icon on
each secret input in the Settings page.

Save endpoints treat an incoming "***" as a sentinel meaning "user
didn't touch this field, keep stored value", so saving without
revealing preserves the existing secret.

Addresses audit finding #3 (settings endpoint leaks secrets).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Felix Förtsch
2026-04-15 08:15:08 +02:00
parent b0d06a1d8c
commit e040c9a234
3 changed files with 105 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
server/api/execute.ts
View File

@@ -41,8 +41,7 @@ async function runSequential(initial: Job[]): Promise<void> {
const seen = new Set<number>(queue.map((j) => j.id));
while (queue.length > 0) {
// biome-ignore lint/style/noNonNullAssertion: length checked above
const job = queue.shift()!;
const job = queue.shift() as Job;
// Pause outside the processing window
if (!isInProcessWindow()) {

34
server/api/settings.ts
View File

@@ -8,16 +8,37 @@ import { testConnection as testSonarr } from "../services/sonarr";
const app = new Hono();
// Config keys that hold credentials. `GET /` returns these as "***" when set,
// "" when unset. Real values only reach the client via the explicit
// GET /reveal?key=<key> endpoint (eye-icon toggle in the settings UI).
const SECRET_KEYS = new Set(["jellyfin_api_key", "radarr_api_key", "sonarr_api_key", "mqtt_password"]);
app.get("/", (c) => {
const config = getAllConfig();
for (const key of SECRET_KEYS) {
if (config[key]) config[key] = "***";
}
const envLocked = Array.from(getEnvLockedKeys());
return c.json({ config, envLocked });
});
app.get("/reveal", (c) => {
const key = c.req.query("key") ?? "";
if (!SECRET_KEYS.has(key)) return c.json({ error: "not a secret key" }, 400);
return c.json({ value: getConfig(key) ?? "" });
});
// The UI sends "***" as a sentinel meaning "user didn't touch this field,
// keep the stored value". Save endpoints call this before writing a secret.
function resolveSecret(incoming: string | undefined, storedKey: string): string {
if (incoming === "***") return getConfig(storedKey) ?? "";
return incoming ?? "";
}
app.post("/jellyfin", async (c) => {
const body = await c.req.json<{ url: string; api_key: string }>();
const url = body.url?.replace(/\/$/, "");
const apiKey = body.api_key;
const apiKey = resolveSecret(body.api_key, "jellyfin_api_key");
if (!url || !apiKey) return c.json({ ok: false, error: "URL and API key are required" }, 400);
@@ -54,7 +75,7 @@ app.post("/jellyfin", async (c) => {
app.post("/radarr", async (c) => {
const body = await c.req.json<{ url?: string; api_key?: string }>();
const url = body.url?.replace(/\/$/, "");
const apiKey = body.api_key;
const apiKey = resolveSecret(body.api_key, "radarr_api_key");
if (!url || !apiKey) {
setConfig("radarr_enabled", "0");
@@ -72,7 +93,7 @@ app.post("/radarr", async (c) => {
app.post("/sonarr", async (c) => {
const body = await c.req.json<{ url?: string; api_key?: string }>();
const url = body.url?.replace(/\/$/, "");
const apiKey = body.api_key;
const apiKey = resolveSecret(body.api_key, "sonarr_api_key");
if (!url || !apiKey) {
setConfig("sonarr_enabled", "0");
@@ -127,9 +148,10 @@ app.post("/mqtt", async (c) => {
setConfig("mqtt_url", url);
setConfig("mqtt_topic", topic || "jellyfin/events");
setConfig("mqtt_username", username);
// Only overwrite password when a non-empty value is sent, so the UI can
// leave the field blank to indicate "keep the existing one".
if (password) setConfig("mqtt_password", password);
// Only overwrite password when a real value is sent. The UI leaves the
// field blank or sends "***" (masked placeholder) when the user didn't
// touch it — both mean "keep the existing one".
if (password && password !== "***") setConfig("mqtt_password", password);
// Reconnect with the new config. Best-effort; failures surface in status.
startMqttClient().catch(() => {});