fix(workflow): stop leaking peer share tokens from participant session API (#6241)

This commit is contained in:
ConnorYoh
2026-04-28 17:36:20 +01:00
committed by GitHub
parent b966e771a4
commit 4e4918b91e
4 changed files with 194 additions and 11 deletions
@@ -6,7 +6,10 @@ export interface ParticipantResponse {
email: string;
name: string;
status: "PENDING" | "NOTIFIED" | "VIEWED" | "SIGNED" | "DECLINED";
shareToken: string;
// Null for participant-facing endpoints (`/api/v1/workflow/participant/...`); the owner-facing
// `/api/v1/security/cert-sign/sessions/...` endpoints still populate it for share-link
// distribution. Never used to look up other participants — see GHSA-qgg6-mxw4-xg62.
shareToken: string | null;
accessRole: "EDITOR" | "COMMENTER" | "VIEWER";
expiresAt?: string;
lastUpdated: string;