Settings GET: never ship spotify.token_info to the browser
Follow-up to 603b7a2a (tokens in the config store): /api/settings GET
returns the whole config dict, which would now include the OAuth access +
refresh tokens. The settings UI has no field for them — strip the key from
the response. dict(config_data) is a SHALLOW copy of live state, so the
section is rebuilt rather than popped in place (verified: response clean,
live config intact, token survives a settings save since POST merges
per-key).
This commit is contained in:
parent
603b7a2ab8
commit
1753f2ab43
1 changed files with 6 additions and 0 deletions
|
|
@ -3011,6 +3011,12 @@ def handle_settings():
|
|||
else: # GET request
|
||||
try:
|
||||
data = dict(config_manager.config_data)
|
||||
# Never ship the OAuth token payload to the browser — the settings
|
||||
# UI has no field for it and it doesn't belong in devtools/HAR
|
||||
# captures. NOTE: dict() above is a SHALLOW copy of live config
|
||||
# state, so rebuild the section instead of popping in place.
|
||||
if isinstance(data.get('spotify'), dict) and 'token_info' in data['spotify']:
|
||||
data['spotify'] = {k: v for k, v in data['spotify'].items() if k != 'token_info'}
|
||||
# Include which download sources are configured so the UI can auto-disable unconfigured ones
|
||||
try:
|
||||
data['_source_status'] = download_orchestrator.get_source_status()
|
||||
|
|
|
|||
Loading…
Reference in a new issue