Skip to content

Commit 453ec03

Browse files
Replace hardcoded Supabase secrets with environment variables
Co-authored-by: Oxygen-Low <95589118+Oxygen-Low@users.noreply.github.com>
1 parent c99b62f commit 453ec03

12 files changed

Lines changed: 5345 additions & 3002 deletions

File tree

.jules/bolt.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@
22

33
**Learning:** Static arrays that contain JSX elements (e.g. configuring categories or routing with icons) created inside a React component render function are re-allocated on every single render. This forces child components and `useMemo` hooks depending on them to constantly re-evaluate.
44
**Action:** Always define static configuration structures containing JSX elements outside the component body.
5+
56
## 2024-05-17 - [ReactMarkdown Memoization Pattern]
7+
68
**Learning:** In streaming chat interfaces (like `Chatbot.tsx`), placing inline object or function definitions (like the `components` prop for `ReactMarkdown`) inside a `React.memo` wrapped child component causes that heavy component to re-render constantly. This happens because the parent `ChatMessage` is memoized and might try to avoid re-renders, but when it does re-render due to prop changes (like new tokens in `m.content`), it recreates the `components` object, which then forces `ReactMarkdown` (a very heavy component with SyntaxHighlighter) to completely re-render from scratch instead of just updating text.
79
**Action:** Always extract static configuration objects, such as `ReactMarkdown`'s `components` mappings or custom renderers, outside of the React render body. If they depend on props/state, use `useMemo`. This prevents O(n) re-renders during frequent streaming state updates.

.jules/palette.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
## 2023-10-27 - [Add aria-pressed to custom toggles]
2+
23
**Learning:** Custom toggle buttons and selection items (like themes, fonts, or feature switches) constructed with `button` elements often lack implicit state for screen readers. Using CSS classes alone for visual active state is insufficient for accessibility.
34
**Action:** Always map the boolean active state of a custom toggle or selection button to the `aria-pressed` attribute (e.g., `aria-pressed={isActive}`). For multi-selection or lists, `aria-selected` within a `role="listbox"` or `role="tablist"` might be more appropriate, but `aria-pressed` is crucial for standalone toggles.
5+
46
## 2025-02-28 - Add missing ARIA labels to Music Player
7+
58
**Learning:** Icon-only buttons without `aria-label` or `title` attributes are completely inaccessible to screen readers and difficult for sighted users to identify. When adding ARIA attributes to toggle buttons (like "Shuffle"), it is important to include `aria-pressed` to communicate the active state to assistive technologies.
69
**Action:** Always add `aria-label` and `title` to icon-only buttons. For stateful toggle buttons, implement `aria-pressed={state}` dynamically.

.jules/sentinel.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,9 @@
33
**Vulnerability:** A critical SSRF (Server-Side Request Forgery) vulnerability via DNS rebinding existed because `url.hostname` was directly assigned an IPv6 address (`firstAddress.address`) without brackets (`[]`). Node.js fails silently when setting an unbracketed IPv6 address to `url.hostname`, leaving the original hostname intact and bypassing IP pinning.
44
**Learning:** In Node.js, `URL.hostname` fails silently when assigned an unbracketed IPv6 address (e.g., `url.hostname = '2606:4700::1111'`). This can leave the original domain intact and bypass IP pinning or SSRF mitigations like DNS rebinding protection.
55
**Prevention:** Always use `net.isIPv6()` to bracket IPv6 addresses (e.g., `[2606:4700::1111]`) before assigning them to `url.hostname`.
6+
7+
## 2024-05-18 - Hardcoded Supabase Secrets in Backend
8+
9+
**Vulnerability:** Hardcoded Supabase URL and anon keys found across the backend and frontend.
10+
**Learning:** Hardcoding API keys is a major security flaw allowing exploitation.
11+
**Prevention:** Always use environment variables for sensitive info (`import.meta.env` for Vite or `process.env` in node).

client/components/apps/Chatbot.tsx

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -149,9 +149,7 @@ const ChatMessage = React.memo(
149149
: "bg-slate-900 border border-slate-800 text-slate-200",
150150
)}
151151
>
152-
<ReactMarkdown
153-
components={memoizedMarkdownComponents}
154-
>
152+
<ReactMarkdown components={memoizedMarkdownComponents}>
155153
{displayContent}
156154
</ReactMarkdown>
157155
</div>

client/lib/supabase.ts

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
import { createClient } from "@supabase/supabase-js";
22

3-
const supabaseUrl = "https://vqmukrmpgvavscsyefqd.supabase.co";
4-
const supabaseKey = "sb_publishable_t2Nj_QmKvYBkmhQZvGkPAQ_a6YFGq4Q";
3+
const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
4+
const supabaseKey = import.meta.env.VITE_SUPABASE_ANON_KEY;
55

66
export const supabase = createClient(supabaseUrl, supabaseKey);
77

0 commit comments

Comments
 (0)