From a1a2219544e3f7e5807340be50388abc58c2e4bb Mon Sep 17 00:00:00 2001
From: Paul Hutchinson <paulhappyhutchinson@protonmail.ch>
Date: Fri, 14 Nov 2025 11:48:32 +0000
Subject: [PATCH 1/2] [feature] SC-166737/improve app proxy security by
 restricting where token replacements can go

---
 manifest.json | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/manifest.json b/manifest.json
index 9eb9e02..d97255f 100644
--- a/manifest.json
+++ b/manifest.json
@@ -50,7 +50,19 @@
       {
         "url": "https://(.*).xero.com/.*",
         "methods": ["GET", "POST", "PUT", "DELETE", "PATCH"],
-        "timeout": 30
+        "timeout": 30,
+        "settingsInjection": {
+          "client_id": {
+            "headers": ["Authorization"]
+          },
+          "client_secret": {
+            "headers": ["Authorization"]
+          },
+          "global_access_token": {
+            "body": ["refresh_token"],
+            "headers": ["xero-tenant-id"]
+          }
+        }
       }
     ]
   }

From 087571407e20903c3dec43f7e675184d15decf07 Mon Sep 17 00:00:00 2001
From: Paul Hutchinson <paulhappyhutchinson@protonmail.ch>
Date: Wed, 19 Nov 2025 12:31:43 +0000
Subject: [PATCH 2/2] [feature] SC-166737/improve app proxy security by
 restricting where token replacements can go

---
 manifest.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/manifest.json b/manifest.json
index d97255f..b83c99a 100644
--- a/manifest.json
+++ b/manifest.json
@@ -53,14 +53,14 @@
         "timeout": 30,
         "settingsInjection": {
           "client_id": {
-            "headers": ["Authorization"]
+            "header": ["Authorization"]
           },
           "client_secret": {
-            "headers": ["Authorization"]
+            "header": ["Authorization"]
           },
           "global_access_token": {
             "body": ["refresh_token"],
-            "headers": ["xero-tenant-id"]
+            "header": ["xero-tenant-id"]
           }
         }
       }