Skip to content

fix: remove hardcoded API key and use config.js approach #91 NSoC'26#98

Open
PapuliDoley wants to merge 1 commit into
aditya-ai00:mainfrom
PapuliDoley:fix/remove-hardcoded-api-key
Open

fix: remove hardcoded API key and use config.js approach #91 NSoC'26#98
PapuliDoley wants to merge 1 commit into
aditya-ai00:mainfrom
PapuliDoley:fix/remove-hardcoded-api-key

Conversation

@PapuliDoley

Copy link
Copy Markdown

Fixes #91

Problem

The WeatherAPI key was hardcoded directly in "script.js"

Changes Made

  • Removed hardcoded API key from "script.js"
  • Used the existing "config.js / config.example.js" pattern
    already present in the project
  • Added a friendly error message if "config.js" is missing
  • Added "config.js" script tag in "index.html" before "script.js"

~ How It Works Now

  • Contributors create their own "config.js" using "config.example.js"
  • "config.js" is already in ".gitignore" so it never gets pushed
  • If key is missing, app shows a helpful message instead of breaking

Testing

  • App works correctly when "config.js" is present with a valid key
  • App shows friendly warning message when "config.js" is missing
  • No API key is exposed in the source code

NSoC'26

@vercel

vercel Bot commented Apr 30, 2026

Copy link
Copy Markdown

@PapuliDoley is attempting to deploy a commit to the aditya-ai00's projects Team on Vercel.

A member of the Team first needs to authorize it.

@gitguardian

gitguardian Bot commented Apr 30, 2026

Copy link
Copy Markdown

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secret in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
30476928 Triggered Generic High Entropy Secret 23c932d script.js View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secret safely. Learn here the best practices.
  3. Revoke and rotate this secret.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@PapuliDoley

Copy link
Copy Markdown
Author

The GitGuardian alert is for the original hardcoded key that existed in the codebase before this fix. This PR is specifically fixing that security issue by removing the hardcoded key and replacing it with the config.js approach. The key in the alert belongs to the original repo and should be revoked by the maintainer.

@aditya-ai00

Copy link
Copy Markdown
Owner

Hi @PapuliDoley,

Thanks for working on this security fix — removing the hardcoded API key is definitely the right approach.

However, the GitGuardian check is still failing and detecting a secret in this PR. Even if the key existed earlier, we cannot proceed with merging while a secret is still being flagged.

Please make sure that:

  • No API key is present anywhere in the code (including commits and history)
  • The PR diff is completely clean of any exposed keys
  • The implementation works correctly using the config.js approach

Also, I’ll take care of revoking and rotating the existing API key from the repository side.

Once the PR passes the security checks and is fully clean, I’ll review it again for merge.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security Bug: API Key is Hardcoded in script.js

2 participants