a51a1fc4fc
/api/auth/settings is auth-exempt (the frontend + the pre-login page read it for keybinds/TTS prefs), so non-admin and unauthenticated callers get a scrubbed copy. The previous scrub only blanked TOP-LEVEL string values whose key matched a short suffix list — so a secret nested under a non-secret parent key, or stored under a key outside the list, would leak. A real exposure when the app is reachable over a Cloudflare tunnel / reverse proxy. - src/settings_scrub.py: NEW stdlib-only module with the scrub helpers (deep/ recursive; broadened secret-key patterns). Kept separate from auth_routes so it imports + unit-tests WITHOUT pulling the FastAPI / auth / database chain (addresses review: the test no longer fails at collection on the DB import). - routes/auth_routes.py: import scrub_settings from the module. - tests/test_settings_scrub.py: import the tiny module directly. Ran: pytest tests/test_settings_scrub.py (8 passed); verified the test pulls no db/auth modules into sys.modules; py_compile routes/auth_routes.py. Co-authored-by: Kanaru92 <107661007+Kanaru92@users.noreply.github.com>
2.6 KiB
2.6 KiB