[Security] Live keys and secrets can be retrieved without any auth

[pascalvaccaro]

The getSettings route is not authenticated, leaving all secret values open to the public.

To reproduce, launch a Strapi instance on your local machine, install the plugin, fill out the configuration page, then a simple curl http://localhost:1337/strapi-stripe/getSettings shows all your credentials in the terminal.

Production environment doesn't do anything more.

Solution : remove the config: { auth: false }} on both routes related to the settings in server/routes/index.js Best : set the admin::isAuthenticatedAdmin policy on both routes with config: { policies: ['admin::isAuthenticatedAdmin'] }

[nishekh-e-r]

@pascalvaccaro Thanks for pointing out this security issue and solution. you can check updated plugin here