From 76d710493e2496490f9e2f9894cf581757f4d92e Mon Sep 17 00:00:00 2001
From: Fuwn <contact@fuwn.net>
Date: Tue, 2 Jun 2026 12:59:04 +0000
Subject: fix(security): replace RSS feed URL tokens with encrypted token (M5)

---
 src/routes/settings/+page.server.ts | 14 ++++++++++++++
 src/routes/settings/+page.svelte    |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 src/routes/settings/+page.server.ts

(limited to 'src/routes/settings')

diff --git a/src/routes/settings/+page.server.ts b/src/routes/settings/+page.server.ts
new file mode 100644
index 00000000..321e5cfd
--- /dev/null
+++ b/src/routes/settings/+page.server.ts
@@ -0,0 +1,14 @@
+import { decodeAuthCookieOrNull } from "$lib/Effect/authCookie";
+import { encryptFeedToken } from "$lib/Utility/feedToken";
+
+// Mint the RSS feed token server-side: the encryption key never reaches the
+// client, so the URL is built here from the refresh token already in the cookie
+// rather than from tokens handed to the browser.
+export const load = async ({ cookies }) => {
+	const cookie = cookies.get("user");
+	const user = cookie ? decodeAuthCookieOrNull(cookie) : null;
+
+	return {
+		feedToken: user ? await encryptFeedToken(user.refreshToken) : undefined,
+	};
+};
diff --git a/src/routes/settings/+page.svelte b/src/routes/settings/+page.svelte
index 79642944..9a3bf990 100644
--- a/src/routes/settings/+page.svelte
+++ b/src/routes/settings/+page.svelte
@@ -55,7 +55,7 @@ export let data: PageData;
       <SettingSync />
     </Category>
     <Category title={$locale().settings.rssFeeds.title} id="feeds" newLine={false}>
-      <RssFeeds user={data.user} />
+      <RssFeeds feedToken={data.feedToken} />
     </Category>
   </div>
 
-- 
cgit v1.2.3