Description
The secret token is embedded in the built JavaScript via import.meta.env.VITE_SECRET_TOKEN in 5 frontend files:
app/src/App.tsxapp/src/components/Input.tsxapp/src/components/chat.tsxapp/src/components/code-graph.tsxapp/src/components/combobox.tsx
Each file contains:
const AUTH_HEADERS: HeadersInit = import.meta.env.VITE_SECRET_TOKEN
? { 'Authorization': \`Bearer \${import.meta.env.VITE_SECRET_TOKEN}\` }
: {};Vite replaces import.meta.env.VITE_* at build time, so the token value is visible in the page source of the built app.
Impact
Anyone who can view the page source can extract the SECRET_TOKEN and make authenticated API calls directly.
Suggested Fix
Use a server-side session/cookie-based auth flow instead of embedding secrets in the client bundle. If token auth is needed, issue tokens via a login endpoint rather than shipping a static secret.
Context
Found during code review of PR #522.
Description
The secret token is embedded in the built JavaScript via
import.meta.env.VITE_SECRET_TOKENin 5 frontend files:app/src/App.tsxapp/src/components/Input.tsxapp/src/components/chat.tsxapp/src/components/code-graph.tsxapp/src/components/combobox.tsxEach file contains:
Vite replaces
import.meta.env.VITE_*at build time, so the token value is visible in the page source of the built app.Impact
Anyone who can view the page source can extract the
SECRET_TOKENand make authenticated API calls directly.Suggested Fix
Use a server-side session/cookie-based auth flow instead of embedding secrets in the client bundle. If token auth is needed, issue tokens via a login endpoint rather than shipping a static secret.
Context
Found during code review of PR #522.