lobstakit-cloud 1.0.6 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/server.js +8 -3
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lobstakit-cloud",
3
- "version": "1.0.6",
3
+ "version": "1.0.7",
4
4
  "description": "LobstaKit Cloud — Setup wizard and management for LobstaCloud gateways",
5
5
  "main": "server.js",
6
6
  "bin": {
package/server.js CHANGED
@@ -301,18 +301,23 @@ app.post('/api/auth/change', (req, res) => {
301
301
  });
302
302
 
303
303
  // GET /api/provision — return provisioning data (email, subdomain, plan) if available
304
+ // LOW-3: Only return setupToken to authenticated sessions
304
305
  app.get('/api/provision', (req, res) => {
305
306
  const provision = getProvisionData();
306
307
  if (provision) {
307
308
  const token = req.headers.authorization?.replace('Bearer ', '');
308
309
  const isAuthenticated = token && activeSessions.has(token);
309
- res.json({
310
+ const response = {
310
311
  provisioned: true,
311
312
  email: isAuthenticated ? (provision.email || null) : maskEmail(provision.email || ''),
312
313
  subdomain: provision.subdomain || null,
313
314
  plan: provision.plan || null,
314
- setupToken: provision.setupToken || null
315
- });
315
+ };
316
+ // Only expose setupToken to authenticated sessions
317
+ if (isAuthenticated && provision.setupToken) {
318
+ response.setupToken = provision.setupToken;
319
+ }
320
+ res.json(response);
316
321
  } else {
317
322
  res.json({ provisioned: false });
318
323
  }