Deep-scrub secrets from public settings

/api/auth/settings is auth-exempt (the frontend + the pre-login page read it for keybinds/TTS prefs), so non-admin and unauthenticated callers get a scrubbed copy. The previous scrub only blanked TOP-LEVEL string values whose key matched a short suffix list — so a secret nested under a non-secret parent key, or stored under a key outside the list, would leak. A real exposure when the app is reachable over a Cloudflare tunnel / reverse proxy. - src/settings_scrub.py: NEW stdlib-only module with the scrub helpers (deep/ recursive; broadened secret-key patterns). Kept separate from auth_routes so it imports + unit-tests WITHOUT pulling the FastAPI / auth / database chain (addresses review: the test no longer fails at collection on the DB import). - routes/auth_routes.py: import scrub_settings from the module. - tests/test_settings_scrub.py: import the tiny module directly. Ran: pytest tests/test_settings_scrub.py (8 passed); verified the test pulls no db/auth modules into sys.modules; py_compile routes/auth_routes.py. Co-authored-by: Kanaru92 <107661007+Kanaru92@users.noreply.github.com>
2026-06-01 07:11:50 -07:00
parent 35f11f2edc
commit a51a1fc4fc
3 changed files with 113 additions and 24 deletions
--- a/src/settings_scrub.py
+++ b/src/settings_scrub.py
@@ -0,0 +1,50 @@
+"""Secret-scrubbing for settings exposed to non-admin / unauthenticated callers.
+
+Deliberately dependency-light (stdlib only) and separate from
+``routes/auth_routes.py`` so it can be imported and unit-tested without dragging
+in the FastAPI app / auth / database import chain.
+
+``/api/auth/settings`` is auth-exempt — the frontend (and the pre-login page)
+read it for keybinds + TTS prefs, so non-admin and unauthenticated callers get a
+*scrubbed* copy. Secrets (provider API keys, IMAP/SMTP passwords, OAuth tokens)
+must NOT leak to them — load-bearing when the app is reachable over a Cloudflare
+tunnel / reverse proxy. Scrubbing is deep (recurses nested dicts/lists) and keyed
+on secret-shaped names.
+"""
+
+_SECRET_KEY_PATTERNS = (
+    "_api_key", "_apikey", "_password", "_passwd", "_pass", "_pwd",
+    "_secret", "_client_secret", "_token", "_access_token", "_refresh_token",
+    "_credential", "_credentials", "_key",
+)
+_SECRET_KEY_ALLOW = ("google_pse_cx",)  # public identifiers, not secrets
+
+
+def is_secret_key(name: str) -> bool:
+    n = (name or "").lower()
+    if n in _SECRET_KEY_ALLOW:
+        return False
+    return any(n.endswith(p) or n == p.lstrip("_") for p in _SECRET_KEY_PATTERNS)
+
+
+def _scrub_value(key, value):
+    """Mask secret-shaped leaves, recursing into nested dicts/lists so a secret
+    stored under a non-secret parent key (e.g.
+    ``{"email_account": {"smtp_password": "..."}}``) is still blanked. Only
+    non-empty *string* values are blanked; presence is preserved."""
+    if isinstance(value, dict):
+        return {
+            k: ("" if (is_secret_key(k) and isinstance(v, str) and v)
+                else _scrub_value(k, v))
+            for k, v in value.items()
+        }
+    if isinstance(value, list):
+        return [_scrub_value(key, item) for item in value]
+    if is_secret_key(key) and isinstance(value, str) and value:
+        return ""
+    return value
+
+
+def scrub_settings(settings: dict) -> dict:
+    """Return a copy of ``settings`` with secret-shaped values masked (deep)."""
+    return {k: _scrub_value(k, v) for k, v in (settings or {}).items()}