Security: remove hardcoded API key from test_apis.py, add .env.example, fix GPS location to use real CoreLocation + IP geolocation fallback

Author: kvssk123

.env.example

@@ -0,0 +1,9 @@
+# Copy this file to .env and fill in your keys.
+# The .env file is git-ignored and should NEVER be committed.
+
+# Google Gemini API key (https://aistudio.google.com/app/apikey)
+GEMINI_API_KEY=your_gemini_api_key_here
+
+# Google Maps Platform API key (https://console.cloud.google.com/google/maps-apis)
+# Needs: Directions API, Places API, Geocoding API
+GOOGLE_MAPS_API_KEY=your_google_maps_api_key_here

handsfree/executor.py

@@ -188,12 +188,12 @@ def _get_directions(args):
         distance = leg["distance"]["text"]
         start    = leg["start_address"]
         end      = leg["end_address"]
-        steps = [
-            s["html_instructions"].replace("<b>", "").replace("</b>", "")
-                                  .replace("<div style=\"font-size:0.9em\">", " — ")
-                                  .replace("</div>", "")
-            for s in leg["steps"][:5]
-        ]
+        import re as _re
+        def _strip_html(h):
+            h = h.replace("<wbr/>", "").replace("<wbr>", "")
+            h = h.replace('<div style="font-size:0.9em">', " — ").replace("</div>", "")
+            return _re.sub(r"<[^>]+>", "", h).strip()
+        steps = [_strip_html(s["html_instructions"]) for s in leg["steps"][:6]]
         maps_url = (
             f"https://www.google.com/maps/dir/?api=1"
             f"&origin={requests.utils.quote(start)}"
@@ -312,7 +312,7 @@ def _get_current_location(args):
         from handsfree.location import get_gps_location
         loc = get_gps_location()
         if not loc:
-            raise RuntimeError("GPS unavailable")
+            raise RuntimeError("Could not determine location — CoreLocation denied and IP lookup failed")
 
         lat, lon = loc["lat"], loc["lon"]
 

handsfree/location.py

@@ -33,37 +33,42 @@ def is_location_query(text: str) -> bool:
 def get_gps_location() -> dict | None:
     """
     Retrieve current GPS coordinates using Apple CoreLocation via pyobjc.
-    Returns dict with lat, lon, address, maps_link — or None if unavailable.
-    Falls back to a simulated location when running without location permissions.
+    Falls back to IP-based geolocation if CoreLocation is denied or unavailable.
+    Returns dict with lat, lon, address, maps_link — or None if all methods fail.
     """
     try:
         import CoreLocation
         import time
 
         manager = CoreLocation.CLLocationManager.alloc().init()
 
-        # Request authorization (needed on macOS 10.15+)
         auth_status = CoreLocation.CLLocationManager.authorizationStatus()
-        if auth_status == CoreLocation.kCLAuthorizationStatusNotDetermined:
+        # kCLAuthorizationStatusDenied = 2, Restricted = 1, NotDetermined = 0
+        if auth_status in (1, 2):
+            # Permission denied — skip straight to IP fallback
+            return _fallback_location()
+        if auth_status == 0:
             manager.requestWhenInUseAuthorization()
-            time.sleep(1)
+            time.sleep(1.5)
 
         location = manager.location()
         if location is None:
             return _fallback_location()
 
         coord = location.coordinate()
         lat, lon = coord.latitude, coord.longitude
-        address = _reverse_geocode(lat, lon)
+        if lat == 0.0 and lon == 0.0:
+            return _fallback_location()
 
+        address = _reverse_geocode(lat, lon)
         return {
             "lat": lat,
             "lon": lon,
             "address": address,
             "maps_link": f"https://maps.google.com/?q={lat:.6f},{lon:.6f}",
-            "source": "CoreLocation (on-device)",
+            "source": "CoreLocation (on-device GPS)",
         }
-    except Exception as e:
+    except Exception:
         return _fallback_location()
 
 
@@ -100,16 +105,31 @@ def completion(placemarks, error):
 
 
 def _fallback_location() -> dict:
-    """Return a plausible simulated location for demo/dev purposes."""
-    # San Francisco (Civic Center) — good default for the hackathon
-    lat, lon = 37.7793, -122.4193
-    return {
-        "lat": lat,
-        "lon": lon,
-        "address": "Civic Center, San Francisco, CA",
-        "maps_link": f"https://maps.google.com/?q={lat},{lon}",
-        "source": "simulated (no GPS permission)",
-    }
+    """
+    Fallback when CoreLocation is unavailable or denied.
+    Uses IP-based geolocation (ipinfo.io, free, no key needed) for real location.
+    """
+    import requests as _req
+    try:
+        resp = _req.get("https://ipinfo.io/json", timeout=4).json()
+        loc_str = resp.get("loc", "")         # "37.7749,-122.4194"
+        city    = resp.get("city", "")
+        region  = resp.get("region", "")
+        country = resp.get("country", "")
+        if loc_str and "," in loc_str:
+            lat, lon = map(float, loc_str.split(","))
+            address = ", ".join(p for p in [city, region, country] if p)
+            return {
+                "lat": lat,
+                "lon": lon,
+                "address": address or f"{lat:.4f}, {lon:.4f}",
+                "maps_link": f"https://maps.google.com/?q={lat:.6f},{lon:.6f}",
+                "source": "IP geolocation (ipinfo.io)",
+            }
+    except Exception:
+        pass
+    # Last resort: return None so callers know it truly failed
+    return None
 
 
 def inject_location_into_command(text: str, location: dict) -> str:

test_apis.py

@@ -3,7 +3,9 @@
 sys.path.insert(0, "cactus/python/src")
 sys.path.insert(0, ".")
 
-os.environ.setdefault("GOOGLE_MAPS_API_KEY", "AIzaSyA5IPZCbVqBCbvOK24erpnIShSRltBWgYE")
+# Load from environment — set GOOGLE_MAPS_API_KEY in your shell or .env file
+if not os.environ.get("GOOGLE_MAPS_API_KEY"):
+    raise EnvironmentError("GOOGLE_MAPS_API_KEY is not set. See .env.example.")
 
 from handsfree.executor import execute