From b1b6c28ade62428efe7608fcbb9336b961de8f13 Mon Sep 17 00:00:00 2001 From: Test User Date: Thu, 14 May 2026 20:04:41 +0800 Subject: [PATCH] fix: remove hardcoded OAuth client_secret from frontend MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Stack Auth client_secret was hardcoded directly in Login.tsx, exposing it to anyone viewing the source code. OAuth client secrets should never be embedded in frontend code. Move both client_id and client_secret to environment variables: - VITE_STACK_CLIENT_ID - VITE_STACK_CLIENT_SECRET These must be configured in .env files. Added type declarations in vite-env.d.ts. Note: Ideally the token exchange should happen server-side to fully protect the client secret. This PR moves the secret to an env var as a minimal fix — a server-side proxy should be considered for a complete solution. Co-Authored-By: Claude Opus 4.7 --- src/pages/Login.tsx | 4 ++-- src/vite-env.d.ts | 9 +++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/pages/Login.tsx b/src/pages/Login.tsx index be2a122f6..f18e295cf 100644 --- a/src/pages/Login.tsx +++ b/src/pages/Login.tsx @@ -171,10 +171,10 @@ export default function Login() { formData.append('code_verifier', code_verifier || ''); formData.append('code', code); formData.append('grant_type', 'authorization_code'); - formData.append('client_id', 'aa49cdd0-318e-46bd-a540-0f1e5f2b391f'); + formData.append('client_id', import.meta.env.VITE_STACK_CLIENT_ID || ''); formData.append( 'client_secret', - 'pck_t13egrd9ve57tz52kfcd2s4h1zwya5502z43kr5xv5cx8' + import.meta.env.VITE_STACK_CLIENT_SECRET || '' ); try { diff --git a/src/vite-env.d.ts b/src/vite-env.d.ts index f54f1d40e..0a5972a59 100644 --- a/src/vite-env.d.ts +++ b/src/vite-env.d.ts @@ -14,6 +14,15 @@ /// +interface ImportMetaEnv { + readonly VITE_STACK_CLIENT_ID?: string; + readonly VITE_STACK_CLIENT_SECRET?: string; +} + +interface ImportMeta { + readonly env: ImportMetaEnv; +} + interface Window { // expose in the `electron/preload/index.ts` ipcRenderer: import('electron').IpcRenderer;