mirror of
https://github.com/Kpa-clawbot/meshcore-analyzer.git
synced 2026-07-13 08:58:54 +00:00
dd2f81270a
PR review found GET /api/config/geo-filter is unauthenticated and was returning writeEnabled (derived from APIKey != "" && !IsWeakAPIKey). That tells any anonymous caller whether a strong API key is configured on the server — low-severity info disclosure, but free to fix. Approach: drop the field entirely instead of gating the endpoint behind requireAPIKey. The polygon itself is intentionally public (read-only clients depend on it), so auth-gating the whole endpoint would break them. Clients that want to write should just attempt PUT and handle 401/403 — the customizer JS already has that error path. - routes.go: remove writeEnabled from both response branches - customize-v2.js: always reveal edit controls; rely on PUT error path - docs/user-guide/geofilter.md: drop the writeEnabled API doc + the "controls only appear when..." UX line Green commit for the red test in the previous commit.