lobstakit-cloud 1.0.5 → 1.0.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/config.js +2 -2
- package/package.json +1 -1
- package/server.js +8 -3
package/lib/config.js
CHANGED
|
@@ -114,7 +114,7 @@ function writeConfig({ apiKey, model, channel, telegramBotToken, telegramUserId,
|
|
|
114
114
|
}
|
|
115
115
|
};
|
|
116
116
|
|
|
117
|
-
fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), 'utf8');
|
|
117
|
+
fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), { encoding: 'utf8', mode: 0o600 });
|
|
118
118
|
console.log('[config] Config written to', CONFIG_PATH);
|
|
119
119
|
return config;
|
|
120
120
|
}
|
|
@@ -126,7 +126,7 @@ function writeRawConfig(configObj) {
|
|
|
126
126
|
if (!fs.existsSync(CONFIG_DIR)) {
|
|
127
127
|
fs.mkdirSync(CONFIG_DIR, { recursive: true });
|
|
128
128
|
}
|
|
129
|
-
fs.writeFileSync(CONFIG_PATH, JSON.stringify(configObj, null, 2), 'utf8');
|
|
129
|
+
fs.writeFileSync(CONFIG_PATH, JSON.stringify(configObj, null, 2), { encoding: 'utf8', mode: 0o600 });
|
|
130
130
|
console.log('[config] Raw config written to', CONFIG_PATH);
|
|
131
131
|
}
|
|
132
132
|
|
package/package.json
CHANGED
package/server.js
CHANGED
|
@@ -301,18 +301,23 @@ app.post('/api/auth/change', (req, res) => {
|
|
|
301
301
|
});
|
|
302
302
|
|
|
303
303
|
// GET /api/provision — return provisioning data (email, subdomain, plan) if available
|
|
304
|
+
// LOW-3: Only return setupToken to authenticated sessions
|
|
304
305
|
app.get('/api/provision', (req, res) => {
|
|
305
306
|
const provision = getProvisionData();
|
|
306
307
|
if (provision) {
|
|
307
308
|
const token = req.headers.authorization?.replace('Bearer ', '');
|
|
308
309
|
const isAuthenticated = token && activeSessions.has(token);
|
|
309
|
-
|
|
310
|
+
const response = {
|
|
310
311
|
provisioned: true,
|
|
311
312
|
email: isAuthenticated ? (provision.email || null) : maskEmail(provision.email || ''),
|
|
312
313
|
subdomain: provision.subdomain || null,
|
|
313
314
|
plan: provision.plan || null,
|
|
314
|
-
|
|
315
|
-
|
|
315
|
+
};
|
|
316
|
+
// Only expose setupToken to authenticated sessions
|
|
317
|
+
if (isAuthenticated && provision.setupToken) {
|
|
318
|
+
response.setupToken = provision.setupToken;
|
|
319
|
+
}
|
|
320
|
+
res.json(response);
|
|
316
321
|
} else {
|
|
317
322
|
res.json({ provisioned: false });
|
|
318
323
|
}
|