fix: stop exposing client-side tokens#1329
fix: stop exposing client-side tokens#1329Abhash-Chakraborty wants to merge 1 commit intorecodehive:mainfrom
Conversation
|
@Abhash-Chakraborty is attempting to deploy a commit to the recode Team on Vercel. A member of the Team first needs to authorize it. |
|
Thank you for submitting your pull request! 🙌 We'll review it as soon as possible. The estimated time for response is 5–8 hrs. In the meantime, please provide all necessary screenshots and make sure you run - npm build run , command and provide a screenshot, a video recording, or an image of the update you made below, which helps speed up the review and assignment. If you have questions, reach out to LinkedIn. Your contributions are highly appreciated!😊 Note: I maintain the repo issue every day twice at 8:00 AM IST and 9:00 PM IST. If your PR goes stale for more than one day, you can tag and comment on this same issue by tagging @sanjay-kv. We are here to help you on this journey of open source. Consistent 20 contributions are eligible for sponsorship 💰 🎁 check our list of amazing people we sponsored so far: GitHub Sponsorship. ✨ 📚Your perks for contribution to this community 👇🏻
If there are any specific instructions or feedback regarding your PR, we'll provide them here. Thanks again for your contribution! 😊 |
|
@sanjay-kv Can you please review this? |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR removes previously client-exposed secrets from the Docusaurus site configuration and updates docs/code to avoid making authenticated GitHub requests from browser-bundled code.
Changes:
- Remove GitHub token plumbing from client config and client-side request headers.
- Remove hardcoded Shopify Storefront token fallback from the Docusaurus config.
- Update internal documentation to clarify tokens must remain server-side.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| wiki/Documentation.md | Updates guidance to avoid storing GitHub tokens in client-bundled Docusaurus config. |
| src/services/githubService.ts | Removes browser token injection from GitHub request headers. |
| src/lib/statsProvider.tsx | Stops reading GitHub token from Docusaurus context and removes Authorization header usage. |
| docusaurus.config.ts | Removes GitHub token exposure and deletes hardcoded Shopify token fallback. |
Comments suppressed due to low confidence (1)
wiki/Documentation.md:581
- The TypeScript code fence opened for the headers example isn’t closed before the next markdown heading (
#### Getting a Token:), which will cause the rest of this section to render as code. Add a closing ``` after the headers example.
Authenticated requests should be made from a server-side endpoint or serverless function so the token is never shipped to the browser:
```typescript
const headers: Record<string, string> = {
Authorization: `token ${YOUR_GITHUB_TOKEN}`,
Accept: "application/vnd.github.v3+json",
};
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Get headers for GitHub API requests | ||
| private getHeaders(): Record<string, string> { | ||
| const headers: Record<string, string> = { | ||
| return { | ||
| Accept: "application/vnd.github.v3+json", | ||
| "Content-Type": "application/json", | ||
| }; | ||
|
|
||
| // Add GitHub token if available in environment | ||
| // Note: In production, you might want to use a server-side proxy to avoid exposing tokens | ||
| if (typeof window !== "undefined" && (window as any).GITHUB_TOKEN) { | ||
| headers["Authorization"] = `token ${(window as any).GITHUB_TOKEN}`; | ||
| } | ||
|
|
||
| return headers; | ||
| } |
There was a problem hiding this comment.
The getHeaders() change removes Authorization, but this service makes requests to https://api.github.com/graphql (e.g., discussions count / discussions list). GitHub’s GraphQL API requires authentication, so these calls will now consistently fail (401) and the code will fall back to 0 discussions / mock discussions. Consider moving GraphQL calls behind a server-side endpoint (preferred), or switch to unauthenticated REST endpoints, or gate/disable these GraphQL features when no server-side auth is available.
Summary
Testing