From 1753f2ab43792fe85b5d7dc01dd084d5cad6427f Mon Sep 17 00:00:00 2001 From: BoulderBadgeDad Date: Sun, 7 Jun 2026 12:14:47 -0700 Subject: [PATCH] Settings GET: never ship spotify.token_info to the browser MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up to 603b7a2a (tokens in the config store): /api/settings GET returns the whole config dict, which would now include the OAuth access + refresh tokens. The settings UI has no field for them — strip the key from the response. dict(config_data) is a SHALLOW copy of live state, so the section is rebuilt rather than popped in place (verified: response clean, live config intact, token survives a settings save since POST merges per-key). --- web_server.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/web_server.py b/web_server.py index 8e6542b6..d9296048 100644 --- a/web_server.py +++ b/web_server.py @@ -3011,6 +3011,12 @@ def handle_settings(): else: # GET request try: data = dict(config_manager.config_data) + # Never ship the OAuth token payload to the browser — the settings + # UI has no field for it and it doesn't belong in devtools/HAR + # captures. NOTE: dict() above is a SHALLOW copy of live config + # state, so rebuild the section instead of popping in place. + if isinstance(data.get('spotify'), dict) and 'token_info' in data['spotify']: + data['spotify'] = {k: v for k, v in data['spotify'].items() if k != 'token_info'} # Include which download sources are configured so the UI can auto-disable unconfigured ones try: data['_source_status'] = download_orchestrator.get_source_status()