[security] api: don't show mail password and sensible login data

We don't need to access the mail password via javascript, same applies for login username and hashed password. More restriction should be considered. Change-Id: Iceaa00f6c26987a4aedd65621d2199e9146b62d1
andi34 · Jul 13, 2021 · bad10fc · bad10fc
1 parent b50f250
commit bad10fc
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/api/config.php b/api/config.php
@@ -2,5 +2,11 @@
 header('Content-Type: application/javascript');
 
 require '../lib/config.php';
+
+// Override secret configuration we don't need access from javascript for
+$config['mail']['password'] = 'secret';
+$config['login']['username'] = 'secret';
+$config['login']['password'] = 'secret';
 ?>
-const config = <?= json_encode($config) ?>;
+const config = <?= json_encode($config) ?>;
+