Add fallback bearer token for API requests

[sagnik11]

Fallback to a default bearer token if the environment variable is not set.

---

Summary

This PR adds a fallback API key for the WorqHat AI code generation service in the main application page. The change ensures the app continues to function even if the WORQHAT_API_KEY environment variable is missing or misconfigured, preventing runtime errors during AI-powered code translation.

Changes

• Fallback API key: Modified src/pages/index.js to include a hardcoded fallback value (sk-2233233532232) for the WORQHAT_API_KEY environment variable in the fetchAIResponse function.
• Scope: The change is isolated to the my-code-translator feature, which handles AI-driven code generation.

Test Plan

• Verify fallback behavior:
  • Remove or unset the WORQHAT_API_KEY environment variable locally.
  • Run the app (npm run dev) and navigate to the home page.
  • Enter a natural language code request (e.g., "Write a Python function to reverse a string") and submit.
  • Confirm the AI generates a code snippet without errors (fallback key is used).
• Verify environment variable priority:
  • Restore the WORQHAT_API_KEY environment variable with a valid key.
  • Repeat the test above and confirm the app uses the environment variable (not the fallback).
• Check error handling:
  • Temporarily replace the fallback key with an invalid value (e.g., sk-invalid).
  • Submit a code request and verify the app displays an appropriate error message (e.g., "Failed to fetch AI response").

Risk Assessment

• Security: The fallback key is hardcoded in the client-side code, making it visible to users via browser dev tools. This could expose the key to misuse if it has unrestricted permissions.
  • Mitigation: Ensure the fallback key has strict rate limits or restricted permissions (e.g., demo-only access).
• Reliability: The change prevents crashes due to missing environment variables but may silently degrade functionality if the fallback key fails (e.g., due to rate limits).
  • Mitigation: Add logging to track fallback key usage and monitor its performance.
• Maintainability: Hardcoded values in source files can be overlooked during key rotations.
  • Mitigation: Document the fallback key’s purpose and expiration (if applicable) in the code or a README.

Breaking Changes

None. The change is backward-compatible and does not alter the API contract or user-facing behavior.

Related Issues

None identified from branch name or commit messages.
^{Written for commit d9d5ba0. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
text-to-code-with-worqhat-ai	Error		Feb 24, 2026 2:20am

[coderabbitai]

📝 Walkthrough

Walkthrough

The authentication logic in fetchAIResponse now includes a fallback to a hardcoded token string when the WORQHAT_API_KEY environment variable is missing or undefined. Previously, only the environment variable was used for the bearer token.

Changes

Cohort / File(s)	Summary
Authentication Fallback src/pages/index.js	Added default bearer token fallback ('sk-2233233532232') when WORQHAT_API_KEY environment variable is not defined, changing token assignment behavior from environment-only to environment-with-fallback.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A fallback token hops into place,
When env vars vanish without a trace,
Default strings now save the day,
The auth flow finds its trusty way! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a fallback bearer token for API requests when environment variables are missing.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sagnik11-patch-2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[autter-dev]

Test plan (Shipgate)

• Verify environment variable priority:
  • Set WORQHAT_API_KEY in your environment and confirm the app uses this key (check network requests or logs).
  • Unset WORQHAT_API_KEY and confirm the app falls back to the hardcoded key (sk-2233233532232).
• Test API functionality:
  • Enter a natural language code request (e.g., "Generate a Python function to reverse a string") and verify the AI returns valid code.
  • Test with multiple programming languages to ensure the fallback key works across all supported languages.
• Edge cases:
  • Test with an empty or malformed WORQHAT_API_KEY to confirm the fallback is triggered.
  • Verify no errors are thrown if the hardcoded key is invalid (e.g., simulate an API rejection).

This checklist was generated automatically by Shipgate based on the PR description settings.

[cubic-dev-ai]

2 issues found across 1 file

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="src/pages/index.js">

<violation number="1" location="src/pages/index.js:41">
P1: Bug: The fallback will never trigger. Template literals always produce a string (at minimum `"Bearer undefined"`), which is truthy, so the `||` operator never reaches the right-hand side. The `||` should be applied to the env variable *inside* the template literal. Also note the fallback is missing the `Bearer ` prefix.</violation>

<violation number="2" location="src/pages/index.js:41">
P0: Security: Hardcoded API key `sk-2233233532232` in source code. Secrets should never be committed to version control. Use environment variables exclusively and fail explicitly if the required key is missing, or use a `.env` file that is gitignored.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P0: Security: Hardcoded API key sk-2233233532232 in source code. Secrets should never be committed to version control. Use environment variables exclusively and fail explicitly if the required key is missing, or use a .env file that is gitignored.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At src/pages/index.js, line 41:

<comment>Security: Hardcoded API key `sk-2233233532232` in source code. Secrets should never be committed to version control. Use environment variables exclusively and fail explicitly if the required key is missing, or use a `.env` file that is gitignored.</comment>

<file context>
@@ -38,7 +38,7 @@ const createPrompt = (inputLanguage, inputCode) => {
 async function fetchAIResponse(selectedLanguage, question) {
   const API_ENDPOINT = "https://api.worqhat.com/api/ai/content/v2";
-  const BEARER_TOKEN = `Bearer ${process.env.WORQHAT_API_KEY}`;
+  const BEARER_TOKEN = `Bearer ${process.env.WORQHAT_API_KEY}` || 'sk-2233233532232';
 
   const prompt = createPrompt(selectedLanguage, question);
</file context>

[cubic-dev-ai]

P1: Bug: The fallback will never trigger. Template literals always produce a string (at minimum "Bearer undefined"), which is truthy, so the || operator never reaches the right-hand side. The || should be applied to the env variable inside the template literal. Also note the fallback is missing the Bearer prefix.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At src/pages/index.js, line 41:

<comment>Bug: The fallback will never trigger. Template literals always produce a string (at minimum `"Bearer undefined"`), which is truthy, so the `||` operator never reaches the right-hand side. The `||` should be applied to the env variable *inside* the template literal. Also note the fallback is missing the `Bearer ` prefix.</comment>

<file context>
@@ -38,7 +38,7 @@ const createPrompt = (inputLanguage, inputCode) => {
 async function fetchAIResponse(selectedLanguage, question) {
   const API_ENDPOINT = "https://api.worqhat.com/api/ai/content/v2";
-  const BEARER_TOKEN = `Bearer ${process.env.WORQHAT_API_KEY}`;
+  const BEARER_TOKEN = `Bearer ${process.env.WORQHAT_API_KEY}` || 'sk-2233233532232';
 
   const prompt = createPrompt(selectedLanguage, question);
</file context>

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/pages/index.js`:
- Around line 39-41: The code in fetchAIResponse exposes a hardcoded secret and
misuses the template literal fallback (BEARER_TOKEN) so it will produce "Bearer
undefined" instead of falling back; move the API call logic out of the browser
by creating a Next.js server-side API route (e.g., pages/api/fetch-ai) that
reads process.env.WORQHAT_API_KEY, fails fast with a clear error if the key is
missing, and constructs BEARER_TOKEN = `Bearer ${apiKey}` there; then update the
client-side fetchAIResponse to call that API route via POST with the
selectedLanguage and question and consume the JSON response (or if the key is
meant to be public, rename to NEXT_PUBLIC_WORQHAT_API_KEY and validate its
presence at runtime before using it).

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ede0732 and d9d5ba0.

📒 Files selected for processing (1)

• src/pages/index.js

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Check if file exists and read the relevant lines
head -50 src/pages/index.js | cat -n

Repository: WorqHat/AI-Code-Generator

Length of output: 1723

---

🏁 Script executed:

# Search for other API calls or token usage in the file
rg -n "BEARER_TOKEN|WORQHAT_API_KEY" src/pages/index.js

Repository: WorqHat/AI-Code-Generator

Length of output: 195

---

🏁 Script executed:

# Check for Next.js API routes that might handle this
fd -t f "\.js$" "api" | head -20

Repository: WorqHat/AI-Code-Generator

Length of output: 159

---

🏁 Script executed:

# Look for env variable usage patterns in the repo
rg "NEXT_PUBLIC_" --type js | head -20

Repository: WorqHat/AI-Code-Generator

Length of output: 51

---

🏁 Script executed:

# Check for environment files
ls -la | grep -E "\.env"

Repository: WorqHat/AI-Code-Generator

Length of output: 51

---

🏁 Script executed:

# Search for where fetchAIResponse is called
rg -n "fetchAIResponse" src/pages/index.js -A 3 -B 3

Repository: WorqHat/AI-Code-Generator

Length of output: 609

---

🏁 Script executed:

# Check full fetchAIResponse function implementation
sed -n '39,80p' src/pages/index.js | cat -n

Repository: WorqHat/AI-Code-Generator

Length of output: 1793

---

🏁 Script executed:

# Check if this page uses React hooks (client-side indicator)
rg "useState|useEffect|useRef" src/pages/index.js

Repository: WorqHat/AI-Code-Generator

Length of output: 273

---

Remove hardcoded token and fix the fallback logic; current code exposes secrets and the fallback never triggers.

Line 41 hardcodes a sensitive token that will be exposed in the browser bundle. Additionally, the || fallback never executes because a template literal is always truthy—when WORQHAT_API_KEY is missing, the code produces Bearer undefined (a truthy string) instead of falling back to the second value.

Move the API call to a server-side Next.js API route where WORQHAT_API_KEY can be securely accessed, or if the key is intentionally public, rename it to NEXT_PUBLIC_WORQHAT_API_KEY and fail fast with a clear error when it's missing.

🔧 Suggested fix (server-side approach recommended)

Move fetchAIResponse to an API route (pages/api/fetch-ai.js):

export default async function handler(req, res) {
  const apiKey = process.env.WORQHAT_API_KEY;
  if (!apiKey) {
    return res.status(500).json({ error: "WORQHAT_API_KEY not configured" });
  }
  const BEARER_TOKEN = `Bearer ${apiKey}`;
  // ... rest of logic
}

Then call it from the client:

const responseData = await fetch('/api/fetch-ai', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ selectedLanguage: language, question: questionText }),
}).then(r => r.json());

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/pages/index.js` around lines 39 - 41, The code in fetchAIResponse exposes
a hardcoded secret and misuses the template literal fallback (BEARER_TOKEN) so
it will produce "Bearer undefined" instead of falling back; move the API call
logic out of the browser by creating a Next.js server-side API route (e.g.,
pages/api/fetch-ai) that reads process.env.WORQHAT_API_KEY, fails fast with a
clear error if the key is missing, and constructs BEARER_TOKEN = `Bearer
${apiKey}` there; then update the client-side fetchAIResponse to call that API
route via POST with the selectedLanguage and question and consume the JSON
response (or if the key is meant to be public, rename to
NEXT_PUBLIC_WORQHAT_API_KEY and validate its presence at runtime before using
it).

[autter-dev]

Test plan (Shipgate)

• Verify environment variable priority:
  • Set WORQHAT_API_KEY in your environment and confirm the app uses this key (check network requests or logs).
  • Unset WORQHAT_API_KEY and confirm the app falls back to the hardcoded key (sk-2233233532232).
• Test API functionality:
  • Enter a natural language code request (e.g., "Generate a Python function to reverse a string") and verify the AI returns valid code.
  • Test with multiple programming languages to ensure the fallback key works across all supported languages.
• Edge cases:
  • Test with an empty or malformed WORQHAT_API_KEY to confirm the fallback is triggered.
  • Verify no errors are thrown if the hardcoded key is invalid (e.g., simulate an API rejection).

This checklist was generated automatically by Shipgate based on the PR description settings.

[autter-dev]

Test plan (Shipgate)

• Verify environment variable priority:
  • Set WORQHAT_API_KEY in your environment and confirm the app uses this key (check network requests or logs).
  • Unset WORQHAT_API_KEY and confirm the app falls back to the hardcoded key (sk-2233233532232).
• Test API functionality:
  • Enter a natural language code request (e.g., "Generate a Python function to reverse a string") and verify the AI returns valid code.
  • Test with multiple programming languages to ensure the fallback key works across all supported languages.
• Edge cases:
  • Test with an empty or malformed WORQHAT_API_KEY to confirm the fallback is triggered.
  • Verify no errors are thrown if the hardcoded key is invalid (e.g., simulate an API rejection).

This checklist was generated automatically by Shipgate based on the PR description settings.

[autter-dev]

🔐 Security Analysis — Shipgate

Security Score: 53/100 (high)

Level	Count
Critical	0
High	1
Medium	0
Low	0
Info	0

Critical & High Issues

• [HIGH] src/pages/index.js:41 — Remove hardcoded credential fallback; use secure secrets manager instead

Dependency Vulnerabilities

No dependency vulnerabilities detected.

Risk Context

The blast radius is limited to the my-code-translator scope, but the hardcoded credential poses a severe risk if exposed in version control or logs. Since this is a Next.js web app using WorqHat’s AI model, leaked credentials could enable unauthorized API access, data exfiltration, or model abuse—especially critical for a public-facing AI tool with live demos.

---

Security analysis by Shipgate · Review your security settings

[autter-dev]

🟠 HIGH — Hardcoded credential as env var fallback

Category: secret
Matched: \Bearer ${process.env.WORQHAT_API_KEY}` || 'sk-2233233532232'`

Rotate/remove the value and move it to a secure secrets store (e.g. environment variables, vault).

— Shipgate Security

[autter-dev]

Test plan (Shipgate)

• Verify environment variable behavior:
  • Start the application with WORQHAT_API_KEY unset in the environment.
  • Enter a natural language code request (e.g., "Generate a Python function to reverse a string").
  • Confirm the AI returns a valid code response without errors.
• Verify environment variable override:
  • Set a valid WORQHAT_API_KEY in the environment (e.g., via .env.local).
  • Restart the application and submit another code request.
  • Confirm the AI response is successful, indicating the environment variable is prioritized over the fallback key.
• Check error handling:
  • Temporarily modify the fallback key to an invalid value (e.g., sk-invalid).
  • Submit a code request with WORQHAT_API_KEY unset.
  • Confirm the application gracefully handles API errors (e.g., displays a user-friendly error message).

This checklist was generated automatically by Shipgate based on the PR description settings.

[autter-dev]

🔐 Security Analysis — Shipgate

Security Score: 53/100 (high)

Level	Count
Critical	0
High	1
Medium	0
Low	0
Info	0

🚨 Critical & High Issues

• [HIGH] src/pages/index.js:41 — Hardcoded credential as environment variable fallback (exposes secrets in version control)

📦 Dependency Vulnerabilities

No dependency vulnerabilities detected.

📊 Risk Context

This repository is a Next.js-based AI code generator using WorqHat’s AiConV2 model, with direct exposure via API endpoints and frontend pages. The hardcoded credential (even as a fallback) poses a high risk due to its potential to leak sensitive API keys or tokens in version control, enabling unauthorized access to WorqHat’s services or downstream abuse (e.g., model hijacking, cost exploitation). While the blast radius is currently limited to the my-code-translator scope, the credential could propagate to dependent workflows (e.g., CI/CD, deployments) if not remediated. Immediate removal and rotation of the exposed secret is critical to prevent credential theft.

---

Security analysis by Shipgate · Review your security settings

[autter-dev]

🔴 Potential issue | High

⚙️ Analysis chain

Remove hardcoded API key fallback; current code exposes secrets in client-side bundles.

• The code uses a hardcoded API key (sk-2233233532232) as a fallback when process.env.WORQHAT_API_KEY is undefined.
• This credential is exposed in client-side JavaScript bundles, making it trivial for attackers to extract and abuse.
• The fallback logic is also flawed: the || operator will never trigger because Bearer ${undefined} evaluates to "Bearer undefined", a truthy string.

Proposed solutions: Move the token handling to a server-side API route or middleware. If client-side use is unavoidable, fail fast when the env var is missing instead of providing a hardcoded fallback.

🔧 Suggested fix (server-side approach recommended)

// Remove the fallback entirely and validate the env var at build/runtime
const BEARER_TOKEN = process.env.WORQHAT_API_KEY
  ? `Bearer ${process.env.WORQHAT_API_KEY}`
  : null;

if (!BEARER_TOKEN) {
  throw new Error('WORQHAT_API_KEY environment variable is required');
}

🤖 Prompt for AI Agents

"Remove the hardcoded API key fallback in line 41 and replace with a server-side validation that throws an error if WORQHAT_API_KEY is missing."

[autter-dev]

Test plan (Shipgate)

• Verify fallback behavior:
  • Remove or unset the WORQHAT_API_KEY environment variable locally.
  • Run the app (npm run dev) and navigate to the home page.
  • Enter a natural language code request (e.g., "Write a Python function to reverse a string") and submit.
  • Confirm the AI generates a code snippet without errors (fallback key is used).
• Verify environment variable priority:
  • Restore the WORQHAT_API_KEY environment variable with a valid key.
  • Repeat the test above and confirm the app uses the environment variable (not the fallback).
• Check error handling:
  • Temporarily replace the fallback key with an invalid value (e.g., sk-invalid).
  • Submit a code request and verify the app displays an appropriate error message (e.g., "Failed to fetch AI response").

This checklist was generated automatically by Shipgate based on the PR description settings.

[autter-dev]

🔐 Security Analysis — Shipgate

Security Score: 60/100 (high)

Drivers:

• Hardcoded secret or credential

Level	Count
Critical	0
High	1
Medium	0
Low	0
Info	0

🚨 Critical & High Issues

• [SECRETS] src/pages/index.js:41 — Remove hardcoded credential fallback and use secure secret management (e.g., Vercel environment variables with strict access controls)

📦 Dependency Vulnerabilities

No dependency vulnerabilities detected.

📊 Risk Context

This repository’s blast radius is limited to the my-code-translator scope, with no direct dependents. However, the hardcoded credential in src/pages/index.js could expose the WorqHat AI API key if environment variables fail or are misconfigured, enabling unauthorized access to the AI model, potential abuse (e.g., quota theft), or data leakage. As a Next.js app deployed on Vercel, this risk is amplified in client-side code, where secrets may inadvertently leak in browser dev tools or logs. Secure secret handling is critical for AI-powered tools to prevent misuse and maintain service integrity.

---

Security analysis by Shipgate · Review your security settings

[autter-dev]

🔴 Potential issue | High

⚙️ Analysis chain

Remove hardcoded API key fallback; current code exposes secrets in client-side bundles.

• The code provides a hardcoded API key (sk-2233233532232) as a fallback if process.env.WORQHAT_API_KEY is missing.
• This key is exposed in client-side JavaScript bundles, making it trivial for attackers to extract and abuse.
• The fallback logic is flawed: the || operator will never trigger because Bearer ${undefined} is a truthy string, not undefined or null.

Proposed solutions: Remove the fallback entirely. If the env var is missing, fail fast with a clear error or implement a secure server-side proxy.

🔧 Suggested fix (server-side approach recommended)

const BEARER_TOKEN = process.env.WORQHAT_API_KEY
  ? `Bearer ${process.env.WORQHAT_API_KEY}`
  : null;

if (!BEARER_TOKEN) {
  throw new Error('WORQHAT_API_KEY environment variable is required');
}

🤖 Prompt for AI Agents

"Remove the hardcoded API key fallback in line 41 of src/pages/index.js. Replace with a null check for the env var and throw an error if missing. Ensure no secrets are exposed client-side."