From a618ace457423d35760fd1270f0083fd873d9f98 Mon Sep 17 00:00:00 2001
From: Paul Hutchinson <paulhappyhutchinson@protonmail.ch>
Date: Tue, 18 Nov 2025 14:23:43 +0000
Subject: [PATCH 1/2] [feature] SC-166737/improve app proxy security by
 restricting where token replacements can go

---
 manifest.json    | 13 +++++++++++--
 src/constants.ts |  6 +++---
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/manifest.json b/manifest.json
index 84774c7..6a1a49a 100644
--- a/manifest.json
+++ b/manifest.json
@@ -92,12 +92,21 @@
       {
         "url": "https://www.mindmeister.com/oauth2/.*",
         "methods": ["POST"],
-        "timeout": 20
+        "timeout": 20,
+        "settingsInjection": {
+          "app_id": {
+            "body": ["client_id"]
+          },
+          "client_secret": {
+            "body": ["client_secret"]
+          }
+        }
       },
       {
         "url": "https://www.meistertask.com/api/.*",
         "methods": ["GET", "POST", "PUT", "DELETE"],
-        "timeout": 20
+        "timeout": 20,
+        "settingsInjection": {}
       }
     ]
   }
diff --git a/src/constants.ts b/src/constants.ts
index ebe32d6..4fdce48 100644
--- a/src/constants.ts
+++ b/src/constants.ts
@@ -20,16 +20,16 @@ export const placeholders = {
   ACCESS_TOKEN: `[user[${ACCESS_TOKEN_PATH}]]`,
   CLIENT_ID: "__client_id__",
   CLIENT_SECRET: "__client_secret__",
-};
+} as const;
 
 /** MeisterTask */
 export const BASE_URL = "https://www.meistertask.com/api";
 export const AUTH_URL = "https://www.mindmeister.com/oauth2";
 export const HTML_URL = "https://www.meistertask.com/app";
 
-export const SCOPES = ["userinfo.email", "userinfo.profile", "meistertask"];
+export const SCOPES = ["userinfo.email", "userinfo.profile", "meistertask"] as const;
 
 export const DESKPRO_LABEL = {
   name: "Deskpro",
   color: "00aaff",
-};
+} as const;

From b587ffffaa0fa85a24acc2f8f35e1edcd1ea30b3 Mon Sep 17 00:00:00 2001
From: Paul <1740195+HappyPaul55@users.noreply.github.com>
Date: Wed, 19 Nov 2025 10:38:53 +0000
Subject: [PATCH 2/2] Update manifest.json

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 manifest.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifest.json b/manifest.json
index 6a1a49a..473b2c9 100644
--- a/manifest.json
+++ b/manifest.json
@@ -94,7 +94,7 @@
         "methods": ["POST"],
         "timeout": 20,
         "settingsInjection": {
-          "app_id": {
+          "client_id": {
             "body": ["client_id"]
           },
           "client_secret": {