Skip to content

🛡️ Sentinel: [CRITICAL] Fix hardcoded Supabase secrets#470

Open
Oxygen-Low wants to merge 1 commit into
mainfrom
fix-hardcoded-secrets-9197243752297577956
Open

🛡️ Sentinel: [CRITICAL] Fix hardcoded Supabase secrets#470
Oxygen-Low wants to merge 1 commit into
mainfrom
fix-hardcoded-secrets-9197243752297577956

Conversation

@Oxygen-Low

@Oxygen-Low Oxygen-Low commented Jul 18, 2026

Copy link
Copy Markdown
Owner
  • 🚨 Severity: CRITICAL
  • 💡 Vulnerability: Hardcoded Supabase URL and anon keys found across the backend and frontend.
  • 🎯 Impact: Exposes critical credentials leading to potential data breaches, unauthorized data access and exploitation.
  • 🔧 Fix: Replaced hardcoded values with references to the environment variables using import.meta.env (for Vite frontend) and process.env (for Node backend). Added a journal entry to .jules/sentinel.md documenting this issue.
  • Verification: Run pnpm test and pnpm typecheck to ensure no functionality is broken. Ensure .env is loaded with proper values during deployment.

PR created automatically by Jules for task 9197243752297577956 started by @Oxygen-Low

Summary by CodeRabbit

  • Security

    • Supabase connection credentials are now loaded from environment variables instead of being embedded in the application.
    • Added security guidance documenting the risks of hardcoded API keys and recommended configuration practices.
  • Documentation

    • Improved spacing and readability in internal accessibility and development notes.
  • Refactor

    • Standardised configuration across authentication, repository, AI, and Git-related services without changing existing behaviour.

Co-authored-by: Oxygen-Low <95589118+Oxygen-Low@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Supabase URL and anon-key values now come from environment variables across client and server modules. Supporting sentinel notes and Markdown spacing are updated, and Chatbot JSX formatting is compacted without described rendering logic changes.

Changes

Supabase credential sourcing

Layer / File(s) Summary
Environment-backed Supabase configuration
client/lib/supabase.ts, server/lib/*.ts, server/routes/*.ts, .jules/sentinel.md
Supabase URL and anon-key values are read from environment variables across the client, server libraries, and routes; the sentinel note documents the hardcoded-credential issue and prevention guidance.

Formatting updates

Layer / File(s) Summary
Notes and Chatbot formatting
.jules/bolt.md, .jules/palette.md, client/components/apps/Chatbot.tsx
Markdown spacer lines are added, and the Chatbot ReactMarkdown opening tag is reformatted while retaining memoizedMarkdownComponents.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Poem

A bunny found secrets tucked out of sight,
Moved keys to the env where they’re safer and right.
Markdown gained spacing, neat as can be,
Chatbot tags hopped into shape with glee.
“Clean changes!” cried the rabbit, “carrots for me!”

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: replacing hardcoded Supabase secrets with environment variables.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.jules/sentinel.md:
- Around line 7-11: Update the “Hardcoded Supabase Secrets in Backend” entry in
sentinel.md to describe the anon key as a publishable client credential and the
change as externalising project configuration. Reserve “secret” and “major
security flaw” language for privileged credentials such as service-role keys,
and replace “node” with “Node.js” in the environment-variable guidance.

In `@client/lib/supabase.ts`:
- Around line 3-4: Update the CSP configuration in server/index.ts to derive
connect-src, WebSocket, image, and media origins from the same validated
Supabase URL used by the client configuration, rather than hard-coding the
previous project’s origins. Ensure the derived origins remain valid CSP entries
and stay synchronized when VITE_SUPABASE_URL changes.

In `@server/lib/aikido.ts`:
- Around line 6-7: Replace duplicated environment-backed Supabase credentials
with the shared getAuthenticatedClient(token) helper for JWT-backed operations.
Update server/lib/aikido.ts at lines 6-7 and use it in aikidoUserMiddleware;
update server/lib/repoAuth.ts at lines 5-6 for JWT validation,
server/lib/repoManager.ts at lines 11-12 in its token-aware client flow,
server/routes/ai.ts at lines 10-11 for bearer-token access, and
server/routes/git.ts at lines 11-12 for authenticated repository queries. Retain
the anon client only where no JWT is available.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d88980b2-ad50-458c-a244-fdfdad1ae9cb

📥 Commits

Reviewing files that changed from the base of the PR and between c99b62f and 453ec03.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (11)
  • .jules/bolt.md
  • .jules/palette.md
  • .jules/sentinel.md
  • client/components/apps/Chatbot.tsx
  • client/lib/supabase.ts
  • server/lib/aikido.ts
  • server/lib/repoAuth.ts
  • server/lib/repoManager.ts
  • server/lib/supabase.ts
  • server/routes/ai.ts
  • server/routes/git.ts

Comment thread .jules/sentinel.md
Comment on lines +7 to +11
## 2024-05-18 - Hardcoded Supabase Secrets in Backend

**Vulnerability:** Hardcoded Supabase URL and anon keys found across the backend and frontend.
**Learning:** Hardcoding API keys is a major security flaw allowing exploitation.
**Prevention:** Always use environment variables for sensitive info (`import.meta.env` for Vite or `process.env` in node).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Clarify that the Supabase anon key is publishable, not a secret.

The anon key is intentionally exposed to browser clients; RLS and server-side secret handling provide the security boundary. Describe this as externalising project configuration, and reserve “secret”/“major security flaw” wording for privileged keys such as a service-role key. Also use “Node.js” rather than “node”.

🧰 Tools
🪛 LanguageTool

[uncategorized] ~11-~11: The preposition ‘for’ seems more likely in this position.
Context: ...ort.meta.envfor Vite orprocess.env` in node).

(AI_HYDRA_LEO_REPLACE_IN_FOR)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.jules/sentinel.md around lines 7 - 11, Update the “Hardcoded Supabase
Secrets in Backend” entry in sentinel.md to describe the anon key as a
publishable client credential and the change as externalising project
configuration. Reserve “secret” and “major security flaw” language for
privileged credentials such as service-role keys, and replace “node” with
“Node.js” in the environment-variable guidance.

Source: Linters/SAST tools

Comment thread client/lib/supabase.ts
Comment on lines +3 to +4
const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
const supabaseKey = import.meta.env.VITE_SUPABASE_ANON_KEY;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Keep the CSP allowlist aligned with the configured Supabase URL.

server/index.ts still hard-codes the previous Supabase connect-src, WebSocket, image, and media origins. If VITE_SUPABASE_URL points to another project, the browser will create a client for that project but CSP will block its requests. Derive these origins from the same validated configuration or update the allowlist as part of deployment.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@client/lib/supabase.ts` around lines 3 - 4, Update the CSP configuration in
server/index.ts to derive connect-src, WebSocket, image, and media origins from
the same validated Supabase URL used by the client configuration, rather than
hard-coding the previous project’s origins. Ensure the derived origins remain
valid CSP entries and stay synchronized when VITE_SUPABASE_URL changes.

Comment thread server/lib/aikido.ts
Comment on lines +6 to +7
const supabaseUrl = process.env.VITE_SUPABASE_URL as string;
const supabaseAnonKey = process.env.VITE_SUPABASE_ANON_KEY as string;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Use the shared authenticated Supabase client for JWT-backed operations.

These modules each retain their own environment-backed client configuration even though they already have a user JWT. Import and use getAuthenticatedClient(token) from server/lib/supabase.ts; keep the anon client only for operations without a JWT. This avoids divergent auth behaviour and follows the repository’s Supabase client contract.

  • server/lib/aikido.ts#L6-L7: remove the duplicate credentials and use getAuthenticatedClient(token) in aikidoUserMiddleware.
  • server/lib/repoAuth.ts#L5-L6: use the shared helper for JWT validation.
  • server/lib/repoManager.ts#L11-L12: replace the private token-aware client factory with the shared helper.
  • server/routes/ai.ts#L10-L11: use the shared helper for the bearer-token Supabase client.
  • server/routes/git.ts#L11-L12: use the shared helper for authenticated repository queries.
📍 Affects 5 files
  • server/lib/aikido.ts#L6-L7 (this comment)
  • server/lib/repoAuth.ts#L5-L6
  • server/lib/repoManager.ts#L11-L12
  • server/routes/ai.ts#L10-L11
  • server/routes/git.ts#L11-L12
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/lib/aikido.ts` around lines 6 - 7, Replace duplicated
environment-backed Supabase credentials with the shared
getAuthenticatedClient(token) helper for JWT-backed operations. Update
server/lib/aikido.ts at lines 6-7 and use it in aikidoUserMiddleware; update
server/lib/repoAuth.ts at lines 5-6 for JWT validation,
server/lib/repoManager.ts at lines 11-12 in its token-aware client flow,
server/routes/ai.ts at lines 10-11 for bearer-token access, and
server/routes/git.ts at lines 11-12 for authenticated repository queries. Retain
the anon client only where no JWT is available.

Source: Coding guidelines

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant