groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(GRO-2299): redact googleMapsApiKey from PATCH /api/admin/settings response
CI / Test (pull_request) Successful in 24s
Details
CI / Lint & Typecheck (pull_request) Successful in 27s
Details
CI / Build & Push Docker Images (pull_request) Successful in 1m18s
Details

Browse Source 
The PATCH handler returned the full businessSettings row via .returning(),
echoing the encrypted googleMapsApiKey ciphertext back to the caller. Wrap the
return in the existing redactSettings() helper (after a !updated guard) so
redaction is applied symmetrically with the GET projection (GRO-2294).

- src/routes/settings.ts: guard + redactSettings(updated) on PATCH return
- src/__tests__/settings.test.ts: assert PATCH omits googleMapsApiKey
  (existing-row and auto-create-then-update branches)
- UAT_PLAYBOOK.md §13 TC-API-13.2: assert PATCH response omits the secret

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Flea Flicker
2026-06-09 06:50:20 +00:00
parent fe412933ea
commit 5f01df819e
3 changed files with 57 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/routes/settings.ts
+2 -1
View File
@@ -65,7 +65,8 @@ settingsRouter.patch(
.where(eq(businessSettings.id, settingsId))
.returning();
return c.json(updated);
if (!updated) throw new Error("Failed to update settings");
return c.json(redactSettings(updated));
}
);