groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Promote GRO-2294 to UAT: Route Optimization security hardening (#194)
CI / Lint & Typecheck (push) Successful in 28s
Details
CI / Test (push) Successful in 29s
Details
CI / Build & Push Docker Images (push) Successful in 39s
Details
CI / Test (pull_request) Successful in 25s
Details
CI / Lint & Typecheck (pull_request) Successful in 37s
Details
CI / Build & Push Docker Images (pull_request) Successful in 1m8s
Details

Browse Source
This commit was merged in pull request #194.
This commit is contained in:
Flea Flicker
2026-06-09 06:27:17 +00:00
parent 4868f18dfd
commit 2566fb8f20
5 changed files with 206 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/routes/settings.ts
+14 -2
View File
@@ -7,6 +7,17 @@ import { requireSuperUser } from "../middleware/rbac.js";
export const settingsRouter = new Hono();
type BusinessSettingsRow = typeof businessSettings.$inferSelect;
// Strip the encrypted googleMapsApiKey ciphertext from settings responses
// (GRO-2294, defense-in-depth). The secret is never needed client-side; it is
// only written via the dedicated provider-config endpoint.
function redactSettings(row: BusinessSettingsRow) {
const rest: Partial<BusinessSettingsRow> = { ...row };
delete rest.googleMapsApiKey;
return rest;
}
// GET /api/admin/settings — return current business settings
settingsRouter.get("/", async (c) => {
const db = getDb();
@@ -14,9 +25,10 @@ settingsRouter.get("/", async (c) => {
if (!row) {
// Auto-create default settings if none exist
const [created] = await db.insert(businessSettings).values({}).returning();
return c.json(created);
if (!created) throw new Error("Failed to create default settings");
return c.json(redactSettings(created));
}
return c.json(row);
return c.json(redactSettings(row));
});
const hexColorRegex = /^#[0-9a-fA-F]{6}$/;