From 729747a2f813e314ea3823debebc68042ba58892 Mon Sep 17 00:00:00 2001
From: Sulka Haro <sulka@sulka.net>
Date: Sun, 16 Feb 2020 14:30:15 +0200
Subject: [PATCH] Allow flagging specific settings to be not exposed the
 /properties and /status APIs (#5525)

---
 lib/api/properties.js |  2 ++
 lib/api/status.js     |  7 +++++--
 lib/settings.js       | 31 +++++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/lib/api/properties.js b/lib/api/properties.js
index 981f3c31328..7e9fd88ebab 100644
--- a/lib/api/properties.js
+++ b/lib/api/properties.js
@@ -42,6 +42,8 @@ function create (env, ctx) {
       result = _pick(sbx.properties, selected);
     }
 
+    result = env.settings.filteredSettings(result);
+    
     if (req.query && req.query.pretty) {
       res.setHeader('Content-Type', 'application/json');
       res.send(JSON.stringify(result, null, 2));
diff --git a/lib/api/status.js b/lib/api/status.js
index dc8d97bcdd3..b630d629593 100644
--- a/lib/api/status.js
+++ b/lib/api/status.js
@@ -14,6 +14,9 @@ function configure (app, wares, env, ctx) {
 
   // Status badge/text/json
   api.get('/status', function (req, res) {
+    
+    let extended = env.settings.filteredSettings(app.extendedClientSettings);
+    let settings = env.settings.filteredSettings(env.settings);
 
     var authToken = req.query.token || req.query.secret || '';
 
@@ -26,8 +29,8 @@ function configure (app, wares, env, ctx) {
       , apiEnabled: app.enabled('api')
       , careportalEnabled: app.enabled('api') && env.settings.enable.indexOf('careportal') > -1
       , boluscalcEnabled: app.enabled('api') && env.settings.enable.indexOf('boluscalc') > -1
-      , settings: env.settings
-      , extendedSettings: app.extendedClientSettings
+      , settings: settings
+      , extendedSettings: extended
       , authorized: ctx.authorization.authorize(authToken)
     };
 
diff --git a/lib/settings.js b/lib/settings.js
index 309da22babf..fac18986aae 100644
--- a/lib/settings.js
+++ b/lib/settings.js
@@ -69,6 +69,12 @@ function init () {
     , frameName8: ''
   };
 
+  var secureSettings = [
+    'apnsKey'
+    , 'apnsKeyId'
+    , 'developerTeamId'
+  ];
+
   var valueMappers = {
     nightMode: mapTruthy
     , alarmUrgentHigh: mapTruthy
@@ -96,6 +102,30 @@ function init () {
     , bgTargetBottom: mapNumber
   };
 
+  function filterObj(obj, secureKeys) {
+    if (obj && typeof obj === 'object') {
+        var allKeys = Object.keys(obj);
+        for (var i = 0 ; i < allKeys.length ; i++) {
+            var k = allKeys[i];
+            if (secureKeys.includes(k)) {
+              console.log('Deleting key', k);
+              delete obj[k];
+            } else {
+             var value = obj[k];
+             if ( typeof value === 'object') {
+              filterObj(value, secureKeys);
+             }
+          }
+        }
+    }
+    return obj;
+  }
+
+  function filteredSettings(settingsObject) {
+    let so = _.cloneDeep(settingsObject);
+    return filterObj(so, secureSettings);
+  }
+
   function mapNumberArray (value) {
     if (!value || _.isArray(value)) {
       return value;
@@ -360,6 +390,7 @@ function init () {
   settings.isAlarmEventEnabled = isAlarmEventEnabled;
   settings.snoozeMinsForAlarmEvent = snoozeMinsForAlarmEvent;
   settings.snoozeFirstMinsForAlarmEvent = snoozeFirstMinsForAlarmEvent;
+  settings.filteredSettings = filteredSettings;
 
   return settings;