From a2b6a8c130e915008dc95f7fe7e3be2f1af5c23f Mon Sep 17 00:00:00 2001
From: Abhash Chakraborty <abhashchak14@gmail.com>
Date: Wed, 15 Apr 2026 05:37:23 +0000
Subject: [PATCH] fix: stop exposing client-side tokens

---
 docusaurus.config.ts          |  5 +----
 src/lib/statsProvider.tsx     | 17 +----------------
 src/services/githubService.ts | 10 +---------
 wiki/Documentation.md         | 19 ++-----------------
 4 files changed, 5 insertions(+), 46 deletions(-)

diff --git a/docusaurus.config.ts b/docusaurus.config.ts
index d4e89964..fe9ce6e8 100644
--- a/docusaurus.config.ts
+++ b/docusaurus.config.ts
@@ -267,15 +267,12 @@ const config: Config = {
     ],
   ],
 
-  // ✅ Add this customFields object to expose the token to the client-side
   customFields: {
-    gitToken: process.env.DOCUSAURUS_GIT_TOKEN,
     // Shopify credentials for merch store
     SHOPIFY_STORE_DOMAIN:
       process.env.SHOPIFY_STORE_DOMAIN || "junh9v-gw.myshopify.com",
     SHOPIFY_STOREFRONT_ACCESS_TOKEN:
-      process.env.SHOPIFY_STOREFRONT_ACCESS_TOKEN ||
-      "2503dfbf93132b42e627e7d53b3ba3e9",
+      process.env.SHOPIFY_STOREFRONT_ACCESS_TOKEN,
     hooks: {
       onBrokenMarkdownLinks: "warn",
     },
diff --git a/src/lib/statsProvider.tsx b/src/lib/statsProvider.tsx
index 923c16c5..682a1b7b 100644
--- a/src/lib/statsProvider.tsx
+++ b/src/lib/statsProvider.tsx
@@ -8,7 +8,6 @@ import React, {
   type ReactNode,
 } from "react";
 import { githubService, type GitHubOrgStats } from "../services/githubService";
-import useDocusaurusContext from "@docusaurus/useDocusaurusContext";
 
 // Time filter types
 export type TimeFilter = "week" | "month" | "year" | "all";
@@ -160,11 +159,6 @@ const isPRInTimeRange = (mergedAt: string, filter: TimeFilter): boolean => {
 export function CommunityStatsProvider({
   children,
 }: CommunityStatsProviderProps) {
-  const {
-    siteConfig: { customFields },
-  } = useDocusaurusContext();
-  const token = customFields?.gitToken || "";
-
   const [loading, setLoading] = useState(false); // Start with false to avoid hourglass
   const [error, setError] = useState<string | null>(null);
   const [githubStarCount, setGithubStarCount] = useState(984); // Placeholder value - updated to match production
@@ -433,17 +427,8 @@ export function CommunityStatsProvider({
 
       setError(null);
 
-      if (!token) {
-        setError(
-          "GitHub token not found. Please set customFields.gitToken in docusaurus.config.js.",
-        );
-        setLoading(false);
-        return;
-      }
-
       try {
         const headers: Record<string, string> = {
-          Authorization: `token ${token}`,
           Accept: "application/vnd.github.v3+json",
         };
 
@@ -497,7 +482,7 @@ export function CommunityStatsProvider({
         setLoading(false);
       }
     },
-    [token, fetchAllOrgRepos, processBatch, cache],
+    [fetchAllOrgRepos, processBatch, cache],
   );
 
   const clearCache = useCallback(() => {
diff --git a/src/services/githubService.ts b/src/services/githubService.ts
index 1a747133..51b7d060 100644
--- a/src/services/githubService.ts
+++ b/src/services/githubService.ts
@@ -70,18 +70,10 @@ class GitHubService {
 
   // Get headers for GitHub API requests
   private getHeaders(): Record<string, string> {
-    const headers: Record<string, string> = {
+    return {
       Accept: "application/vnd.github.v3+json",
       "Content-Type": "application/json",
     };
-
-    // Add GitHub token if available in environment
-    // Note: In production, you might want to use a server-side proxy to avoid exposing tokens
-    if (typeof window !== "undefined" && (window as any).GITHUB_TOKEN) {
-      headers["Authorization"] = `token ${(window as any).GITHUB_TOKEN}`;
-    }
-
-    return headers;
   }
 
   // === ADDED: setter to toggle anonymous contributors inclusion
diff --git a/wiki/Documentation.md b/wiki/Documentation.md
index 3a4e5021..033b571d 100644
--- a/wiki/Documentation.md
+++ b/wiki/Documentation.md
@@ -573,7 +573,7 @@ Response Example:
 }
 ```
 #### Authentication
-All requests require a GitHub Personal Access Token:
+Authenticated requests should be made from a server-side endpoint or serverless function so the token is never shipped to the browser:
 ```typescript
 const headers: Record<string, string> = {
   Authorization: `token ${YOUR_GITHUB_TOKEN}`,
@@ -588,22 +588,7 @@ Select scopes: public_repo, read:org
 Copy the token (you won't see it again!)
 
 #### Storing the Token:
-In Docusaurus, we store it in docusaurus.config.js:
-```javascript
-module.exports = {
-  customFields: {
-    gitToken: process.env.GITHUB_TOKEN || '',
-  },
-  // ...
-};
-```
-Then access it:
-```typescript
-const {
-  siteConfig: { customFields },
-} = useDocusaurusContext();
-const token = customFields?.gitToken || "";
-```
+Do not store a GitHub token in `docusaurus.config.js` or any other client-bundled config. Keep it in server-side environment variables and call GitHub from a backend endpoint instead.
 #### Error Handling
 **Rate Limit Exceeded (403)**