From 1cf77f55c95f38e272707e9d1883db467bf5e0a0 Mon Sep 17 00:00:00 2001
From: Mitchell R <root@mitchellr.info>
Date: Tue, 26 May 2026 05:36:41 +0200
Subject: [PATCH] fix: deliver encrypt_key in claim response

claimPairing returned kioskKey + clusterKey but NOT encryptKey.
Without it, kiosk cant decrypt ONVIF passwords in the bundle,
causing WSSE auth failure and HTTP 400 on all PullPoint
subscriptions. Now included in claim response and API output.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 server/src/plugins/service-api-http/index.ts |  1 +
 server/src/shared/pairing.ts                 | 12 ++++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/server/src/plugins/service-api-http/index.ts b/server/src/plugins/service-api-http/index.ts
index 5cd0701..311acb2 100644
--- a/server/src/plugins/service-api-http/index.ts
+++ b/server/src/plugins/service-api-http/index.ts
@@ -344,6 +344,7 @@ function registerPairingRoutes(
       kiosk_name: result.kioskName,
       kiosk_key: result.kioskKey,
       cluster_key: result.clusterKey,
+      encrypt_key: result.encryptKey,
       bundle_url: result.bundleUrl,
     };
   });
diff --git a/server/src/shared/pairing.ts b/server/src/shared/pairing.ts
index 2763d0f..4b3e566 100644
--- a/server/src/shared/pairing.ts
+++ b/server/src/shared/pairing.ts
@@ -71,6 +71,7 @@ export interface PairingClaimResult {
   kioskName?: string;
   kioskKey?: string;
   clusterKey?: string;
+  encryptKey?: string;
   bundleUrl?: string;
 }
 
@@ -91,9 +92,15 @@ export async function claimPairing(
 
   const kiosk = await repo.getKioskById(pc.consumed_by_kiosk_id);
   const clusterKey = extras["cluster_key"] as string | undefined;
+  const encryptKey = extras["encrypt_key"] as string | undefined;
 
-  // Wipe plaintext key from extras after first claim
-  await repo.updatePairingCodeExtras(code, { ...extras, kiosk_key_plaintext: undefined, cluster_key: undefined });
+  // Wipe plaintext keys from extras after first claim
+  await repo.updatePairingCodeExtras(code, {
+    ...extras,
+    kiosk_key_plaintext: undefined,
+    cluster_key: undefined,
+    encrypt_key: undefined,
+  });
 
   return {
     status: "claimed",
@@ -101,6 +108,7 @@ export async function claimPairing(
     kioskName: kiosk?.name ?? pc.kiosk_proposed_name ?? "kiosk",
     kioskKey,
     clusterKey,
+    encryptKey,
     bundleUrl: "/api/kiosk/bundle",
   };
 }