Settings GET: never ship spotify.token_info to the browser

Follow-up to 603b7a2a (tokens in the config store): /api/settings GET
returns the whole config dict, which would now include the OAuth access +
refresh tokens. The settings UI has no field for them — strip the key from
the response. dict(config_data) is a SHALLOW copy of live state, so the
section is rebuilt rather than popped in place (verified: response clean,
live config intact, token survives a settings save since POST merges
per-key).
This commit is contained in:
BoulderBadgeDad 2026-06-07 12:14:47 -07:00
parent 603b7a2ab8
commit 1753f2ab43

View file

@ -3011,6 +3011,12 @@ def handle_settings():
else: # GET request
try:
data = dict(config_manager.config_data)
# Never ship the OAuth token payload to the browser — the settings
# UI has no field for it and it doesn't belong in devtools/HAR
# captures. NOTE: dict() above is a SHALLOW copy of live config
# state, so rebuild the section instead of popping in place.
if isinstance(data.get('spotify'), dict) and 'token_info' in data['spotify']:
data['spotify'] = {k: v for k, v in data['spotify'].items() if k != 'token_info'}
# Include which download sources are configured so the UI can auto-disable unconfigured ones
try:
data['_source_status'] = download_orchestrator.get_source_status()