Felix Förtsch
e040c9a234
GET /api/settings now returns jellyfin_api_key, radarr_api_key, sonarr_api_key, mqtt_password as "***" when set (empty string when unset). Real values only reach the client via an explicit GET /api/settings/reveal?key=<key> call, wired to an eye icon on each secret input in the Settings page. Save endpoints treat an incoming "***" as a sentinel meaning "user didn't touch this field, keep stored value", so saving without revealing preserves the existing secret. Addresses audit finding #3 (settings endpoint leaks secrets). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
9.2 KiB
9.2 KiB