fix(security): remove hardcoded API key and add secure env configuration#17
Open
KGFCH2 wants to merge 1 commit into
Open
fix(security): remove hardcoded API key and add secure env configuration#17KGFCH2 wants to merge 1 commit into
KGFCH2 wants to merge 1 commit into
Conversation
- Replace hardcoded GEMINI_API_KEY with os.environ.get() lookup - Raise EnvironmentError at startup if key is missing (fail-fast) - Sanitize error responses to avoid leaking exception details to clients - Add FLASK_DEBUG env var support; disable debug in production by default - Add .env.example template documenting all required environment variables - Add comprehensive .gitignore to prevent secrets and generated files from being accidentally committed to version control Security impact: The previously committed API key (AIzaSyCHaO_...) must be revoked immediately at https://console.cloud.google.com/apis/credentials Fixes: hardcoded credential exposure in chatbot.py
|
@KGFCH2 is attempting to deploy a commit to the Om Roy's projects Team on Vercel. A member of the Team first needs to authorize it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issue
Closes #16
Summary
Removes a hardcoded Google Gemini API key from
chatbot.pyand replaces it with a secure environment-variable lookup. Adds.env.exampleand.gitignoreto prevent future credential exposure.Changes Made
API_KEY = "AIzaSy..."withos.environ.get("GEMINI_API_KEY")EnvironmentErrorat startup ifGEMINI_API_KEYis not setFLASK_DEBUGenvironment variable (defaults tofalse).env.exampledocumenting all required environment variables.gitignorecovering Python, Node.js, OS files, and.envTesting
chatbot.pyraisesEnvironmentErrorwhenGEMINI_API_KEYis unsetGEMINI_API_KEYset in shell environment.gitignorecorrectly excludes.envfilesImpact
Eliminates a critical security vulnerability. The compromised key must be revoked at https://console.cloud.google.com/apis/credentials
Checklist