Harden third-party integration key config#83
Open
radiantjade wants to merge 1 commit into
Open
Conversation
Third-party integration credentials were still committed in common config even after the AWS-focused remediation work. This keeps the patch scoped to Google Maps browser config, reCAPTCHA, Jira, Algolia, IP geolocation, and Slack webhook wiring, with a static guard to catch regressions. Constraint: Do not touch live services, AWS/IAM/S3 keys, Cloudinary, Civil ID flows, or service-token slices already covered by parallel PRs Rejected: Broaden to every remaining credential in the repo | would overlap active S3/Cloudinary/service-token claims and increase review risk Confidence: high Scope-risk: narrow Directive: Keep new third-party integrations wired through runtime env vars and update the regression guard when adding credential-shaped config Tested: python3 scripts/check-thirdparty-key-hardening.py; python3 -m py_compile scripts/check-thirdparty-key-hardening.py; php -l common/config/main.php; php -l common/config/params.php; git diff --check Not-tested: Full application runtime because local service env vars and databases are not configured
68 tasks
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Related Knowledge 1 document with suggested updates is ready for review. BAWES Universe StudentHub – Complete Services & Infrastructure Map (Org-wide)”View Suggested Changes@@ -8,7 +8,7 @@
| CircleCI | Other | CI/CD pipeline for building and deploying frontend | admin portal | [studenthub-admin/.circleci/config.yml](https://github.com/BAWES-Universe/studenthub-admin/blob/b453c0c7d0b0f170964a82948fb09da610cde5e9/.circleci/config.yml#L1-L202) | context: org-global | N/A |
| Railway | Hosting | Deploys and manages backend environments and MySQL databases | backend, cron/worker | [studenthub/railway/railway.md](https://github.com/BAWES-Universe/studenthub/blob/ca90a5502040ba8191fe9f80d29d0b6a4d2a6152/railway/railway.md#L1-L34), [studenthub/environments/dev-server-railway/deployments/july_2025/3_july_2025_deployment.sh](https://github.com/BAWES-Universe/studenthub/pull/8) | RAILWAY_DOCKERFILE_PATH | mysql.railway.internal |
| Netlify | Hosting/CDN | Hosts static frontend portals (SPA routing) | staff portal, admin portal | [studenthub-staff/src/_redirects](https://github.com/BAWES-Universe/studenthub-staff/pull/12), [studenthub-staff/angular.json](https://github.com/BAWES-Universe/studenthub-staff/pull/13), [studenthub-admin/src/netlify.toml](https://github.com/BAWES-Universe/studenthub-admin/pull/10) | NODE_VERSION, NODE_OPTIONS | N/A |
-| Algolia | Search | Provides search indexing for backend data | backend | [studenthub/docs/setup.md](https://github.com/BAWES-Universe/studenthub/blob/ca90a5502040ba8191fe9f80d29d0b6a4d2a6152/docs/setup.md#L5-L59) | N/A | N/A |
+| Algolia | Search | Provides search indexing for backend data | backend | [studenthub/docs/setup.md](https://github.com/BAWES-Universe/studenthub/blob/ca90a5502040ba8191fe9f80d29d0b6a4d2a6152/docs/setup.md#L5-L59) | ALGOLIA_APP_ID, ALGOLIA_API_KEY | N/A |
| Mixpanel | Analytics | Tracks user events and analytics | backend, admin portal, frontend portals | [studenthub/docs/analytics.md](https://github.com/BAWES-Universe/studenthub/blob/ca90a5502040ba8191fe9f80d29d0b6a4d2a6152/docs/analytics.md#L3-L41) | MIXPANEL_KEY (configurable in admin) | N/A |
| Segment | Analytics | Aggregates analytics events and forwards to destinations | backend, admin portal, frontend portals | [studenthub/docs/analytics.md](https://github.com/BAWES-Universe/studenthub/blob/ca90a5502040ba8191fe9f80d29d0b6a4d2a6152/docs/analytics.md#L3-L41) | SEGMENT_KEY (configurable in admin) | N/A |
| Puppeteer | Other | Headless browser automation for backend tasks | backend | [studenthub/docs/setup.md](https://github.com/BAWES-Universe/studenthub/blob/ca90a5502040ba8191fe9f80d29d0b6a4d2a6152/docs/setup.md#L5-L59) | N/A | N/A |
@@ -27,5 +27,5 @@
- No evidence was found for DNS/CDN/security services such as Cloudflare, Route53, or WAF. These may be configured outside of code, for example in AWS or Netlify dashboards. Check "AWS Route53 Hosted Zones" or "Netlify Site Settings → Domain Management" for DNS/CDN configuration.
- No explicit deployment or hosting configuration was found for the candidate or company portals. Check "Netlify Site Settings", "Vercel Project Settings", or "AWS S3 Buckets" for these portals.
-- No evidence of authentication, email, SMS, payments, monitoring, maps, queue, media, or support services in code or configs. These may be configured in third-party dashboards or as environment variables not present in the repositories. Check "Environment Variable dashboards" in Netlify, Railway, or AWS, and review admin portal configuration screens for integrations.
+- Environment variables for Google Maps (`GOOGLE_MAPS_API_KEY`, `GOOGLE_MAPS_BROWSER_API_KEY`), reCAPTCHA (`RECAPTCHA_SECRET_KEY`), Jira (`JIRA_URL`, `JIRA_EMAIL`, `JIRA_API_TOKEN`), Algolia (`ALGOLIA_APP_ID`, `ALGOLIA_API_KEY`), IP geolocation (`IPINFO_ACCESS_TOKEN`), and Slack (`SLACK_WEBHOOK_URL`) are configured in the backend but their usage, dashboards, and integration details may be managed externally. No evidence of authentication (OAuth/SAML), email, SMS, payments, monitoring, or queue services in code or configs. Check "Environment Variable dashboards" in Railway or AWS, and review admin portal configuration screens for integrations.
- Some environment variables and secrets are referenced only by name (e.g., in CircleCI contexts or Netlify build configs) and their actual values or usage may be managed in CI/CD or hosting dashboards. Check "CircleCI Contexts → org-global", "Netlify Site Settings → Environment Variables", and "Railway Variables" for full lists and values.How did I do? Any feedback? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
/claim #55
Contributes to #55.
Scope
This is a code-only third-party integration credential hardening slice. It moves checked-in credential-shaped values for Google Maps browser config, reCAPTCHA, Jira, Algolia, IP geolocation, and Slack webhook wiring to runtime environment variables. It also documents the required variables and adds a static regression check to block these patterns from being reintroduced in common config.
Safety Boundary
No live AWS/IAM, S3, Cloudinary, Civil ID backend/UI flows, service-token paths, candidate data, third-party dashboards, or private account data were accessed. This PR does not include secret values.
Demo
Privacy-safe verification demo: https://github.com/radiantjade/studenthub/releases/download/studenthub-55-thirdparty-demo-20260515/studenthub-55-thirdparty-demo.mp4
Verification
Full runtime smoke testing was not run because local service environment variables and databases are not configured.