MrSphay/odysseus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
59516ec1269bbaf86e2f18ab1e50e6736fd83902
odysseus/src/settings_scrub.py
kanaru-dev a51a1fc4fc Deep-scrub secrets from public settings 
/api/auth/settings is auth-exempt (the frontend + the pre-login page read it for
keybinds/TTS prefs), so non-admin and unauthenticated callers get a scrubbed
copy. The previous scrub only blanked TOP-LEVEL string values whose key matched a
short suffix list — so a secret nested under a non-secret parent key, or stored
under a key outside the list, would leak. A real exposure when the app is
reachable over a Cloudflare tunnel / reverse proxy.

- src/settings_scrub.py: NEW stdlib-only module with the scrub helpers (deep/
  recursive; broadened secret-key patterns). Kept separate from auth_routes so it
  imports + unit-tests WITHOUT pulling the FastAPI / auth / database chain
  (addresses review: the test no longer fails at collection on the DB import).
- routes/auth_routes.py: import scrub_settings from the module.
- tests/test_settings_scrub.py: import the tiny module directly.

Ran: pytest tests/test_settings_scrub.py (8 passed); verified the test pulls no
db/auth modules into sys.modules; py_compile routes/auth_routes.py.

Co-authored-by: Kanaru92 <107661007+Kanaru92@users.noreply.github.com>
2026-06-01 23:11:50 +09:00

51 lines
2.1 KiB
Python
Raw Blame History

"""Secret-scrubbing for settings exposed to non-admin / unauthenticated callers.
Deliberately dependency-light (stdlib only) and separate from
``routes/auth_routes.py`` so it can be imported and unit-tested without dragging
in the FastAPI app / auth / database import chain.
``/api/auth/settings`` is auth-exempt — the frontend (and the pre-login page)
read it for keybinds + TTS prefs, so non-admin and unauthenticated callers get a
*scrubbed* copy. Secrets (provider API keys, IMAP/SMTP passwords, OAuth tokens)
must NOT leak to them — load-bearing when the app is reachable over a Cloudflare
tunnel / reverse proxy. Scrubbing is deep (recurses nested dicts/lists) and keyed
on secret-shaped names.
"""
_SECRET_KEY_PATTERNS = (
"_api_key", "_apikey", "_password", "_passwd", "_pass", "_pwd",
"_secret", "_client_secret", "_token", "_access_token", "_refresh_token",
"_credential", "_credentials", "_key",
)
_SECRET_KEY_ALLOW = ("google_pse_cx",) # public identifiers, not secrets
def is_secret_key(name: str) -> bool:
n = (name or "").lower()
if n in _SECRET_KEY_ALLOW:
return False
return any(n.endswith(p) or n == p.lstrip("_") for p in _SECRET_KEY_PATTERNS)
def _scrub_value(key, value):
"""Mask secret-shaped leaves, recursing into nested dicts/lists so a secret
stored under a non-secret parent key (e.g.
``{"email_account": {"smtp_password": "..."}}``) is still blanked. Only
non-empty *string* values are blanked; presence is preserved."""
if isinstance(value, dict):
return {
k: ("" if (is_secret_key(k) and isinstance(v, str) and v)
else _scrub_value(k, v))
for k, v in value.items()
}
if isinstance(value, list):
return [_scrub_value(key, item) for item in value]
if is_secret_key(key) and isinstance(value, str) and value:
return ""
return value
def scrub_settings(settings: dict) -> dict:
"""Return a copy of ``settings`` with secret-shaped values masked (deep)."""
return {k: _scrub_value(k, v) for k, v in (settings or {}).items()}
Reference in New Issue View Git Blame Copy Permalink