security: redact sensitive config values and protect update endpoints

2026-01-23 16:12:31 +08:00
parent 9efe5cd75d
commit 07e413d1ec
2 changed files with 11 additions and 3 deletions
--- a/src/config.js
+++ b/src/config.js
@@ -93,7 +93,14 @@ function loadConfig() {
 loadConfig();

 export function getPublicConfig() {
-    return { ...config };
+    // Create a deep copy and redact sensitive fields
+    const publicConfig = JSON.parse(JSON.stringify(config));
+
+    // Redact sensitive values
+    if (publicConfig.webuiPassword) publicConfig.webuiPassword = '********';
+    if (publicConfig.apiKey) publicConfig.apiKey = '********';
+
+    return publicConfig;
 }

 export function saveConfig(updates) {