* Replace `**SECRET_ABC**` placeholders with the value of `process.env.SECRET_ABC`. * * If `allowedSecrets` is given, only those secret names are restored and every * other placeholder is left untouched. Without it, all secrets are restored * (used by the CORS proxy, which only runs on the trust
(input, allowedSecrets)
| 27 | * @returns {string} The input with the allowed placeholders replaced. |
| 28 | */ |
| 29 | function replaceSecretPlaceholder (input, allowedSecrets) { |
| 30 | if (global.config.cors === "allowAll") { |
| 31 | if (input.includes("**SECRET_")) { |
| 32 | Log.error("Replacing secrets doesn't work with CORS `allowAll`, you need to set `cors` to `disabled` or `allowWhitelist` in `config.js`"); |
| 33 | } |
| 34 | return input; |
| 35 | } |
| 36 | return input.replaceAll(/\*\*(SECRET_[^*]+)\*\*/g, (placeholder, secretName) => { |
| 37 | // Block replacing secrets that are not explicitly allowed. |
| 38 | if (allowedSecrets && !allowedSecrets.has(secretName)) { |
| 39 | return placeholder; |
| 40 | } |
| 41 | |
| 42 | // Load the real value from the environment. Fallback to placeholder if missing. |
| 43 | return process.env[secretName] || placeholder; |
| 44 | }); |
| 45 | } |
| 46 | |
| 47 | /** |
| 48 | * A method that forwards HTTP Get-methods to the internet to avoid CORS-errors. |
no outgoing calls
no test coverage detected