lobstakit-cloud 1.0.6 → 1.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/server.js +11 -3
package/package.json
CHANGED
package/server.js
CHANGED
|
@@ -301,18 +301,26 @@ app.post('/api/auth/change', (req, res) => {
|
|
|
301
301
|
});
|
|
302
302
|
|
|
303
303
|
// GET /api/provision — return provisioning data (email, subdomain, plan) if available
|
|
304
|
+
// LOW-3: Only return setupToken to authenticated sessions
|
|
304
305
|
app.get('/api/provision', (req, res) => {
|
|
305
306
|
const provision = getProvisionData();
|
|
306
307
|
if (provision) {
|
|
307
308
|
const token = req.headers.authorization?.replace('Bearer ', '');
|
|
308
309
|
const isAuthenticated = token && activeSessions.has(token);
|
|
309
|
-
|
|
310
|
+
const lobstaConfig = getLobstaKitConfig();
|
|
311
|
+
const setupNotComplete = !lobstaConfig.passwordHash;
|
|
312
|
+
const response = {
|
|
310
313
|
provisioned: true,
|
|
311
314
|
email: isAuthenticated ? (provision.email || null) : maskEmail(provision.email || ''),
|
|
312
315
|
subdomain: provision.subdomain || null,
|
|
313
316
|
plan: provision.plan || null,
|
|
314
|
-
|
|
315
|
-
|
|
317
|
+
};
|
|
318
|
+
// Return setupToken during initial setup (before password is set) OR to authenticated sessions
|
|
319
|
+
// This is safe because setupToken is only useful ONCE (to set the initial password)
|
|
320
|
+
if (provision.setupToken && (setupNotComplete || isAuthenticated)) {
|
|
321
|
+
response.setupToken = provision.setupToken;
|
|
322
|
+
}
|
|
323
|
+
res.json(response);
|
|
316
324
|
} else {
|
|
317
325
|
res.json({ provisioned: false });
|
|
318
326
|
}
|