Skip to content

Security: VITE_SECRET_TOKEN baked into frontend bundle #572

New issue
New issue
Open
Open
Security: VITE_SECRET_TOKEN baked into frontend bundle#572
Labels
bugSomething isn't working
@gkorland

Description

@gkorland
gkorland
opened on Mar 10, 2026

Description

The secret token is embedded in the built JavaScript via import.meta.env.VITE_SECRET_TOKEN in 5 frontend files:

  • app/src/App.tsx
  • app/src/components/Input.tsx
  • app/src/components/chat.tsx
  • app/src/components/code-graph.tsx
  • app/src/components/combobox.tsx

Each file contains:

const AUTH_HEADERS: HeadersInit = import.meta.env.VITE_SECRET_TOKEN
  ? { 'Authorization': \`Bearer \${import.meta.env.VITE_SECRET_TOKEN}\` }
  : {};

Vite replaces import.meta.env.VITE_* at build time, so the token value is visible in the page source of the built app.

Impact

Anyone who can view the page source can extract the SECRET_TOKEN and make authenticated API calls directly.

Suggested Fix

Use a server-side session/cookie-based auth flow instead of embedding secrets in the client bundle. If token auth is needed, issue tokens via a login endpoint rather than shipping a static secret.

Context

Found during code review of PR #522.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions