uat→main (PROD): GRO-2294 Route Optimization security hardening (frozen @2566fb8) (#197)

feat(security): GRO-2294 Route Optimization security hardening [squash] Co-authored-by: Flea Flicker <22+gb_flea@noreply.git.farh.net> Co-committed-by: Flea Flicker <22+gb_flea@noreply.git.farh.net>
2026-06-09 07:38:02 +00:00
parent e9ad92de01
commit 2b92c2ab6c
5 changed files with 206 additions and 4 deletions
@@ -7,6 +7,17 @@ import { requireSuperUser } from "../middleware/rbac.js";

 export const settingsRouter = new Hono();

+type BusinessSettingsRow = typeof businessSettings.$inferSelect;
+
+// Strip the encrypted googleMapsApiKey ciphertext from settings responses
+// (GRO-2294, defense-in-depth). The secret is never needed client-side; it is
+// only written via the dedicated provider-config endpoint.
+function redactSettings(row: BusinessSettingsRow) {
+  const rest: Partial<BusinessSettingsRow> = { ...row };
+  delete rest.googleMapsApiKey;
+  return rest;
+}
+
 // GET /api/admin/settings — return current business settings
 settingsRouter.get("/", async (c) => {
  const db = getDb();
@@ -14,9 +25,10 @@ settingsRouter.get("/", async (c) => {
  if (!row) {
    // Auto-create default settings if none exist
    const [created] = await db.insert(businessSettings).values({}).returning();
-    return c.json(created);
+    if (!created) throw new Error("Failed to create default settings");
+    return c.json(redactSettings(created));
  }
-  return c.json(row);
+  return c.json(redactSettings(row));
 });

 const hexColorRegex = /^#[0-9a-fA-F]{6}$/;