From b37342e1008d7e23d19813df81302f23fa27e828 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bjo=CC=88rn=20Dahlgren?= <bjorn@dahlgren.at>
Date: Sun, 6 Aug 2017 11:30:04 +0200
Subject: [PATCH] Whitelist which config settings to send for API endpoint

Avoids sharing private username and password for Steam etc
---
 routes/settings.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/routes/settings.js b/routes/settings.js
index bb5ac7d..dc951b0 100644
--- a/routes/settings.js
+++ b/routes/settings.js
@@ -1,10 +1,11 @@
 var express = require('express')
+var _ = require('lodash')
 
 module.exports = function (config) {
   var router = express.Router()
 
   router.get('/', function (req, res) {
-    res.json(config)
+    res.json(_.pick(config, ['game', 'path', 'type']))
   })
 
   return router