fix: deliver encrypt_key in claim response

claimPairing returned kioskKey + clusterKey but NOT encryptKey. Without it, kiosk cant decrypt ONVIF passwords in the bundle, causing WSSE auth failure and HTTP 400 on all PullPoint subscriptions. Now included in claim response and API output. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-26 16:56:33 +00:00 · 2026-05-26 05:36:41 +02:00 · 2026-05-26 05:36:41 +02:00 · 1cf77f55c9
commit 1cf77f55c9
parent 37cf03e37c
2 changed files with 11 additions and 2 deletions
--- a/server/src/plugins/service-api-http/index.ts
+++ b/server/src/plugins/service-api-http/index.ts
@ -344,6 +344,7 @@ function registerPairingRoutes(
      kiosk_name: result.kioskName,
      kiosk_key: result.kioskKey,
      cluster_key: result.clusterKey,
+      encrypt_key: result.encryptKey,
      bundle_url: result.bundleUrl,
    };
  });
--- a/server/src/shared/pairing.ts
+++ b/server/src/shared/pairing.ts
@ -71,6 +71,7 @@ export interface PairingClaimResult {
  kioskName?: string;
  kioskKey?: string;
  clusterKey?: string;
+  encryptKey?: string;
  bundleUrl?: string;
 }

@ -91,9 +92,15 @@ export async function claimPairing(

  const kiosk = await repo.getKioskById(pc.consumed_by_kiosk_id);
  const clusterKey = extras["cluster_key"] as string | undefined;
+  const encryptKey = extras["encrypt_key"] as string | undefined;

-  // Wipe plaintext key from extras after first claim
-  await repo.updatePairingCodeExtras(code, { ...extras, kiosk_key_plaintext: undefined, cluster_key: undefined });
+  // Wipe plaintext keys from extras after first claim
+  await repo.updatePairingCodeExtras(code, {
+    ...extras,
+    kiosk_key_plaintext: undefined,
+    cluster_key: undefined,
+    encrypt_key: undefined,
+  });

  return {
    status: "claimed",
@ -101,6 +108,7 @@ export async function claimPairing(
    kioskName: kiosk?.name ?? pc.kiosk_proposed_name ?? "kiosk",
    kioskKey,
    clusterKey,
+    encryptKey,
    bundleUrl: "/api/kiosk/bundle",
  };
 }