Commit graph

2 commits

Author SHA1 Message Date
Henrique Dias
ec13054671
fix(share): stop exposing password hash and bypass token in share API (GHSA-833g-cqhp-h72j)
The share management endpoints serialized the storage struct directly, returning
the bcrypt password_hash (crackable offline) and the bypass token for every
share an authenticated caller could list, with admins seeing them for all users.
Return a response DTO that exposes only whether a share is password-protected
(hasPassword) and drops both secrets. The storage struct keeps its tags so the
secrets stay persisted and the server-side auth/public flows are unchanged.
Updates the frontend to use hasPassword and adds a regression test.
2026-06-27 09:08:56 +02:00
JinHyuk Sung
43a404ca69
fix: match admin share paths by owner scope (#5992) 2026-06-27 07:43:22 +02:00