fix(settings): strip env-supplied ApiKeys from the request before persisting#9438
Merged
mudler merged 1 commit intomudler:masterfrom Apr 20, 2026
Merged
Conversation
…sisting
GET /api/settings returns settings.ApiKeys as the merged env+runtime list
via ApplicationConfig.ToRuntimeSettings(). The WebUI displays that list and
round-trips it back on POST /api/settings unchanged.
UpdateSettingsEndpoint was then doing:
appConfig.ApiKeys = append(envKeys, runtimeKeys...)
where runtimeKeys already contained envKeys (because the UI got them from
the merged GET). Every save therefore duplicated the env keys on top of
the previous merge, and also wrote the duplicates to runtime_settings.json
so the duplication survived restarts and compounded with each save. This
is the user-visible behaviour in mudler#9071: the Web UI shows the keys
twice / three times after consecutive saves.
Before we marshal the settings to disk or call ApplyRuntimeSettings, drop
any incoming key that already appears in startupConfig.ApiKeys. The file
on disk now stores only the genuinely runtime-added keys; the subsequent
append(envKeys, runtimeKeys...) produces one copy of each env key, as
intended. Behaviour is unchanged for users who never had env keys set.
Fixes mudler#9071
mudler
approved these changes
Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #9071.
GET /api/settingsreturnssettings.ApiKeysas the merged env+runtime list viaApplicationConfig.ToRuntimeSettings(). The WebUI displays that list and round-trips it back onPOST /api/settingsunchanged.UpdateSettingsEndpointwas then doing:where
runtimeKeysalready containedenvKeys(because the UI got them from the merged GET). Every save therefore duplicated the env keys on top of the previous merge, and also wrote the duplicates toruntime_settings.jsonso the duplication survived restarts and compounded with each save. That is the user-visible behaviour in the recording on #9071: the Web UI shows the keys twice / three times after consecutive saves.Before we marshal the settings to disk or call
ApplyRuntimeSettings, drop any incoming key that already appears instartupConfig.ApiKeys. The file on disk now stores only the genuinely runtime-added keys; the subsequentappend(envKeys, runtimeKeys...)produces one copy of each env key, as intended. Behaviour is unchanged for users who never had env keys set.