From f0711be302d42f2267c00e2afc8e5c3165578631 Mon Sep 17 00:00:00 2001
From: Luis Pater <webmaster@idotorg.org>
Date: Sun, 16 Nov 2025 12:12:24 +0800
Subject: [PATCH] **fix(auth): prevent access to removed credentials lingering
 in memory**

Add logic to avoid exposing credentials that have been removed from disk but still persist in memory. Ensure `runtimeOnly` checks and proper handling of disabled or removed authentication states.
---
 internal/api/handlers/management/auth_files.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/internal/api/handlers/management/auth_files.go b/internal/api/handlers/management/auth_files.go
index 8a198a84..5d4026e8 100644
--- a/internal/api/handlers/management/auth_files.go
+++ b/internal/api/handlers/management/auth_files.go
@@ -346,6 +346,10 @@ func (h *Handler) buildAuthFileEntry(auth *coreauth.Auth) gin.H {
 			entry["size"] = info.Size()
 			entry["modtime"] = info.ModTime()
 		} else if os.IsNotExist(err) {
+			// Hide credentials removed from disk but still lingering in memory.
+			if !runtimeOnly && (auth.Disabled || auth.Status == coreauth.StatusDisabled || strings.EqualFold(strings.TrimSpace(auth.StatusMessage), "removed via management api")) {
+				return nil
+			}
 			entry["source"] = "memory"
 		} else {
 			log.WithError(err).Warnf("failed to stat auth file %s", path)