GRO-2294: Route Optimization security hardening (geocode-batch limit cap + redact settings secret) (#193)

2026-06-09 06:17:42 +00:00
parent cd2f60e282
commit fe412933ea
7 changed files with 219 additions and 4 deletions
@@ -7,6 +7,17 @@ import { requireSuperUser } from "../middleware/rbac.js";

 export const settingsRouter = new Hono();

+type BusinessSettingsRow = typeof businessSettings.$inferSelect;
+
+// Strip the encrypted googleMapsApiKey ciphertext from settings responses
+// (GRO-2294, defense-in-depth). The secret is never needed client-side; it is
+// only written via the dedicated provider-config endpoint.
+function redactSettings(row: BusinessSettingsRow) {
+  const rest: Partial<BusinessSettingsRow> = { ...row };
+  delete rest.googleMapsApiKey;
+  return rest;
+}
+
 // GET /api/admin/settings — return current business settings
 settingsRouter.get("/", async (c) => {
  const db = getDb();
@@ -14,9 +25,10 @@ settingsRouter.get("/", async (c) => {
  if (!row) {
    // Auto-create default settings if none exist
    const [created] = await db.insert(businessSettings).values({}).returning();
-    return c.json(created);
+    if (!created) throw new Error("Failed to create default settings");
+    return c.json(redactSettings(created));
  }
-  return c.json(row);
+  return c.json(redactSettings(row));
 });

 const hexColorRegex = /^#[0-9a-fA-F]{6}$/;