From 40bef15b0be70a57efa7071fa46c1c515cfb599d Mon Sep 17 00:00:00 2001
From: Paul Hutchinson <paulhappyhutchinson@protonmail.ch>
Date: Tue, 18 Nov 2025 14:48:17 +0000
Subject: [PATCH] [feature] SC-166737/improve app proxy security by restricting
 where token replacements can go

---
 manifest.json    | 13 +++++++++++--
 src/constants.ts |  2 +-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/manifest.json b/manifest.json
index b10a10e..96c1175 100644
--- a/manifest.json
+++ b/manifest.json
@@ -44,12 +44,21 @@
       {
         "url": "https://login.sellsy.com/oauth2/.*",
         "methods": ["POST"],
-        "timeout": 20
+        "timeout": 20,
+        "settingsInjection": {
+          "client_id": {
+            "body": ["client_id"]
+          },
+          "client_secret": {
+            "body": ["client_secret"]
+          }
+        }
       },
       {
         "url": "https://api.sellsy.com/v2/.*",
         "methods": ["GET", "POST", "PUT"],
-        "timeout": 20
+        "timeout": 20,
+        "settingsInjection": {}
       }
     ]
   }
diff --git a/src/constants.ts b/src/constants.ts
index 93822de..4e1ded5 100644
--- a/src/constants.ts
+++ b/src/constants.ts
@@ -24,7 +24,7 @@ export const placeholders = {
   CLIENT_SECRET: "__client_secret__",
   ACCESS_TOKEN: `[user[${ACCESS_TOKEN_PATH}]]`,
   REFRESH_TOKEN: `[user[${REFRESH_TOKEN_PATH}]]`,
-};
+} as const;
 
 /** Sellsy Pro */
 export const SELLSY_URL = "https://www.sellsy.com";