From 36b985d80ac1d1319ade1fa73fa3c99ff1189894 Mon Sep 17 00:00:00 2001
From: Paul Hutchinson <paulhappyhutchinson@protonmail.ch>
Date: Wed, 19 Nov 2025 11:30:49 +0000
Subject: [PATCH] [feature] SC-166737/improve app proxy security by restricting
 where token replacements can go

---
 manifest.json                     | 13 ++++++++++++-
 src/services/hubspot/constants.ts |  4 ++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/manifest.json b/manifest.json
index b72cfc9..5cd5a05 100644
--- a/manifest.json
+++ b/manifest.json
@@ -153,7 +153,18 @@
       {
         "url": "https://api.hubapi.com/.*",
         "methods": ["GET", "POST", "PUT", "PATCH"],
-        "timeout": 30
+        "timeout": 30,
+        "settingsInjection": {
+          "client_id": {
+            "body": ["client_id"]
+          },
+          "client_secret": {
+            "body": ["client_secret"]
+          },
+          "api_token": {
+            "header": ["Authorization"]
+          }
+        }
       }
     ]
   }
diff --git a/src/services/hubspot/constants.ts b/src/services/hubspot/constants.ts
index de04be1..f894fe1 100644
--- a/src/services/hubspot/constants.ts
+++ b/src/services/hubspot/constants.ts
@@ -12,7 +12,7 @@ export const placeholders = {
     API_TOKEN: "__api_token__",
     OAUTH2_ACCESS_TOKEN_PATH: "oauth2/access_token",
     OAUTH2_REFRESH_TOKEN_PATH: "oauth2/refresh_token"
-};
+} as const;
 
 export const BASE_URL = "https://api.hubapi.com";
 
@@ -68,4 +68,4 @@ export const PROPERTIES = {
         "lifecyclestage",
     ],
     companies: ["name"],
-};
+} as const;