security: strip server-only env vars from next.config.js#311
Open
Mischa0x wants to merge 2 commits into
Open
Conversation
The `env:` block in next.config.js inlines every listed value into the
client-side JS bundle at build time. Server-only values have no business
there — they were being exposed to every visitor's browser the moment a
Vercel env set them.
Removed (referenced only by pages/api/* or scripts, which read process.env
at runtime and do not require inlining):
BOT_PRIVATE_KEY pages/api/vcxTrader.ts
TEST_BOT_PRIVATE_KEY pages/bots/compoundRewards.tsx, pages/bots/allocation.tsx
(also client-read — see TODO below)
DUNE_API_KEY pages/api/circulatingSupply.ts, totalSupply.ts
DISCORD_WEBHOOK lib/discord/discordBot.ts
FLASHBOTS_RPC_URL pages/api/vcxTrader.ts
MAINNET_RPC_URL pages/api/vcxTrader.ts
VCX_RECIPIENT pages/api/vcxTrader.ts
MIN_AMOUNT pages/api/vcxTrader.ts
WATCH_LIST unreferenced
ZK_FETCH_APP_ID unreferenced
ZK_FETCH_SECRET unreferenced
VAULTS_CACHE unreferenced (only in next.config.js)
Verified against current deploys: scanned all client chunks from
vaultcraft.io and app.vaultcraft.io — none currently contain a
private-key-shaped hex, confirming these env vars are not populated in
the Vercel project today. This change prevents accidental future
exposure the first time someone adds a real value to the Vercel env
under one of these names.
TODO (separate PRs needed, not fixed here):
1. pages/bots/compoundRewards.tsx:39 and pages/bots/allocation.tsx:314
call `process.env.TEST_BOT_PRIVATE_KEY` from client code. That flow
must be rearchitected to POST to an API route that signs server-side.
Those pages' signing functionality is currently non-functional on the
live deploy (env var unset), so this change does not cause a
regression — it removes the exposure path.
2. PINATA_API_SECRET / PINATA_API_KEY / DEBANK_API_KEY are still inlined
to the client because client code reads them today. Pinata secrets in
particular grant upload privileges billed to the account and should
be proxied through an authenticated API route.
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
The previous commit wrongly classified VAULTS_CACHE as unreferenced. It is read by components/common/Page.tsx:509,545 — a client component that fetches a pre-computed vault-data JSON blob on initial load for a faster first paint, falling back to live computation if unset. It is not a secret (a public cache URL that gets fetched from browsers anyway), so inlining it is acceptable. Restoring to preserve the cache performance path.
Contributor
Author
|
Self-correction: pushed a follow-up commit restoring |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
env:block innext.config.jsinlines every listed value into the client-side JS bundle at build time. Server-only values have no business there — they were being exposed to every visitor's browser the moment a Vercel env var was set under one of these names.This PR removes every var that is only referenced by
pages/api/*,lib/**server code, or is entirely unreferenced. API routes readprocess.envat runtime and do not need to be inlined.What changed
Removed from
env:block:BOT_PRIVATE_KEYpages/api/vcxTrader.ts:38(server-only)TEST_BOT_PRIVATE_KEYpages/bots/compoundRewards.tsx:39,pages/bots/allocation.tsx:314— client-reads; see TODO #1DUNE_API_KEYpages/api/circulatingSupply.ts,pages/api/totalSupply.tsDISCORD_WEBHOOKlib/discord/discordBot.tsFLASHBOTS_RPC_URLpages/api/vcxTrader.tsMAINNET_RPC_URLpages/api/vcxTrader.tsVCX_RECIPIENTpages/api/vcxTrader.tsMIN_AMOUNTpages/api/vcxTrader.tsWATCH_LISTZK_FETCH_APP_IDZK_FETCH_SECRETVAULTS_CACHEKept in
env:block (client code reads them today — see TODO #2):NEXT_PUBLIC_ALCHEMY_API_KEY,PINATA_API_SECRET,PINATA_API_KEY,IPFS_URL,ENSO_API_KEY,DEFILLAMA_API_KEY,DEBANK_API_KEY.Verification
Scanned all client chunks currently served from
vaultcraft.ioandapp.vaultcraft.iofor 64-hex strings. Matches found (13 on app, 0 on root) are all known constants: secp256k1 curve params, UniV3 init code hash, EIP-6492 magic0x6492…, EVM bytecode prefixes, Balancer pool IDs. No private key present in the live bundles today — meaningBOT_PRIVATE_KEY/TEST_BOT_PRIVATE_KEYare not currently populated in the Vercel project. This PR locks in that safety: even if a value is added to Vercel env in the future, it will no longer ship to the browser.TODO (not in this PR)
pages/bots/compoundRewards.tsx:39andpages/bots/allocation.tsx:314callprocess.env.TEST_BOT_PRIVATE_KEYfrom client code. Those flows must be rearchitected to POST to an API route that signs server-side. Their signing path is currently non-functional on the live deploy (var unset), so this PR does not cause a regression — it removes the exposure path.PINATA_API_SECRET,PINATA_API_KEY,DEBANK_API_KEYare still inlined. Pinata secrets grant upload privileges billed to the account and should be proxied through an authenticated API route.Test plan
/api/vcxTrader,/api/circulatingSupply,/api/totalSupplystill work on preview (they readprocess.envat runtime, unaffected)🤖 Generated with Claude Code