Files
meshcore-analyzer/docs/user-guide
openclaw-bot dd2f81270a fix(routes): stop leaking apiKey presence via writeEnabled on public GET
PR review found GET /api/config/geo-filter is unauthenticated and was
returning writeEnabled (derived from APIKey != "" && !IsWeakAPIKey).
That tells any anonymous caller whether a strong API key is configured
on the server — low-severity info disclosure, but free to fix.

Approach: drop the field entirely instead of gating the endpoint behind
requireAPIKey. The polygon itself is intentionally public (read-only
clients depend on it), so auth-gating the whole endpoint would break
them. Clients that want to write should just attempt PUT and handle
401/403 — the customizer JS already has that error path.

- routes.go: remove writeEnabled from both response branches
- customize-v2.js: always reveal edit controls; rely on PUT error path
- docs/user-guide/geofilter.md: drop the writeEnabled API doc + the
  "controls only appear when..." UX line

Green commit for the red test in the previous commit.
2026-05-21 02:41:07 +00:00
..