Skip to content

[SECURITY] Introduce hardcoded API key in auth module#2

Open
GAURAV-1313 wants to merge 2 commits into
masterfrom
bugfix/hardcoded-secret
Open

[SECURITY] Introduce hardcoded API key in auth module#2
GAURAV-1313 wants to merge 2 commits into
masterfrom
bugfix/hardcoded-secret

Conversation

@GAURAV-1313

Copy link
Copy Markdown
Owner

Adds a hardcoded API key vulnerability.

@netlify

netlify Bot commented Jun 24, 2026

Copy link
Copy Markdown

Deploy Preview for nofriction canceled.

Name Link
🔨 Latest commit db1aa70
🔍 Latest deploy log https://app.netlify.com/projects/nofriction/deploys/6a3c3473aac2fe0008e8021f

@GAURAV-1313

GAURAV-1313 commented Jun 24, 2026

Copy link
Copy Markdown
Owner Author

AI Code Review

Summary

This PR introduces a new authentication module with a hardcoded API key and a function to fetch user data from an external API. The use of a hardcoded secret is a critical security vulnerability. Other issues include missing input validation and potential exposure of sensitive information.

Key Findings

Bugs

  • [CRITICAL] src/auth.js — hardcoded API key in source code — exposes sensitive credential risking unauthorized access and credential leaks
  • [MEDIUM] fetchUserData function — missing validation of userId parameter — could result in malformed requests or injection vulnerabilities if userId is not sanitized
  • [LOW] fetchUserData function — no error handling on fetch call — potential silent failure or unhandled promise rejections

Security

  • CRITICAL Hardcoded API key 'sk-hardcoded-secret-12345' in src/auth.js exposes sensitive credentials and can be stolen from the source code repository, leading to unauthorized access to protected APIs.

Recommended Fixes

General

  • Remove the hardcoded API key from the source code and load it from secure environment variables or a secrets manager
  • Add input validation and sanitization for the userId parameter to ensure it conforms to expected formats and prevent injection attacks
  • Implement error handling for the fetch call to manage network failures and unexpected responses gracefully

Security Fixes

  • Hardcoded API key 'sk-hardcoded-secret-12345' in src/auth.js exposes sensitive credentials and can be stolen from the source code repository, leading to unauthorized access to protected APIs. — Remove the hardcoded API key from source code. Store secrets securely using environment variables or dedicated secret management services (e.g., AWS Secrets Manager, HashiCorp Vault). Access the key at runtime using process.env.API_KEY and ensure the environment is properly secured.

Suggested Tests

fetchUserData

import { fetchUserData } from "../src/auth";

// Mock global fetch
global.fetch = jest.fn();

describe("fetchUserData", () => {
  const API_KEY = "sk-hardcoded-secret-12345";
  const baseUrl = "https://api.example.com/users/";

  beforeEach(() => {
    jest.clearAllMocks();
  });

  it("should call fetch with correct URL and authorization header for a valid userId", async () => {
    const userId = "abc123";
    const mockResponse = { json: jest.fn().mockResolvedValue({ id: userId }) };
    fetch.mockResolvedValue(mockResponse);

    const result = fetchUserData(userId);

    expect(fetch).toHaveBeenCalledWith(`${baseUrl}${userId}`, {
      headers: { Authorization: `Bearer ${API_KEY}` }
    });

    expect(result).toBeInstanceOf(Promise);
  });

  it.each(["", null, undefined])(
    "should call fetch with correct URL even if userId is '%s'",
    (userId) => {
      fetch.mockResolvedValue({ json: jest.fn() });

      fetchUserData(userId);

      expect(fetch).toHaveBeenCalledWith(`${baseUrl}${userId}`, {
        headers: { Authorization: `Bearer ${API_KEY}` }
      });
    }
  );

  it("should work correctly when userId is a number (converted to string in URL)", () => {
    const userId = 0;
    fetch.mockResolvedValue({ json: jest.fn() });

    fetchUserData(userId);

    expect(fetch).toHaveBeenCalledWith(`${baseUrl}${userId}`, {
      headers: { Authorization: `Bearer ${API_KEY}` }
    });
  });

  it("should reject if fetch rejects", async () => {
    const userId = "fail-case";
    const error = new Error("Network error");
    fetch.mockRejectedValue(error);

    await expect(fetchUserData(userId)).rejects.toThrow("Network error");
  });

  it("should not mutate the userId argument", () => {
    const userId = "immutableId";
    const userIdCopy = userId;
    fetch.mockResolvedValue({ json: jest.fn() });

    fetchUserData(userId);

    expect(userId).toBe(userIdCopy);
  });
});

Auto-Fix Available

Add the apply-ai-fixes label to this pull request to have RepoSpace
automatically generate and commit code fixes for the issues listed above.


4 issues found. Reviewed by RepoSpace AI.

- src/auth.js: Replaced hardcoded API key with an environment variable for improved security.
@GAURAV-1313

Copy link
Copy Markdown
Owner Author

Auto-Fix Results

Applied (1)

  • src/auth.js — Replaced hardcoded API key with an environment variable for improved security.

Generated by RepoSpace AI. Review AI commits before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant