Summary
GROUP_PDS_INVITE_CODE is stored as a plaintext string in config and forwarded verbatim to the PDS createAccount call. If invite codes are single-use or rate-limited, any accidental config exposure (log line, debug endpoint, serialised context) would expose a usable invite code.
Details
- The value lives in
AppContext alongside the encryption key.
- It is forwarded directly:
inviteCode: config.groupPdsInviteCode in src/api/group/register.ts.
- There is no masking or redaction in place.
Suggested Fix
- Redact
inviteCode from any logging or serialisation of config/AppContext.
- Evaluate whether the invite code needs to be validated/rotated after use.
Summary
GROUP_PDS_INVITE_CODEis stored as a plaintext string inconfigand forwarded verbatim to the PDScreateAccountcall. If invite codes are single-use or rate-limited, any accidental config exposure (log line, debug endpoint, serialised context) would expose a usable invite code.Details
AppContextalongside the encryption key.inviteCode: config.groupPdsInviteCodeinsrc/api/group/register.ts.Suggested Fix
inviteCodefrom any logging or serialisation ofconfig/AppContext.