Skip to content

Add fallback bearer token for API requests #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sagnik11 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add fallback bearer token for API requests #5

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/pages/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ const createPrompt = (inputLanguage, inputCode) => {

async function fetchAIResponse(selectedLanguage, question) {
const API_ENDPOINT = "https://api.worqhat.com/api/ai/content/v2";
const BEARER_TOKEN = `Bearer ${process.env.WORQHAT_API_KEY}`;
const BEARER_TOKEN = `Bearer ${process.env.WORQHAT_API_KEY}` || 'sk-2233233532232';
Copy link

@cubic-dev-ai cubic-dev-ai bot Feb 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P0: Security: Hardcoded API key sk-2233233532232 in source code. Secrets should never be committed to version control. Use environment variables exclusively and fail explicitly if the required key is missing, or use a .env file that is gitignored.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At src/pages/index.js, line 41:

<comment>Security: Hardcoded API key `sk-2233233532232` in source code. Secrets should never be committed to version control. Use environment variables exclusively and fail explicitly if the required key is missing, or use a `.env` file that is gitignored.</comment>

<file context>
@@ -38,7 +38,7 @@ const createPrompt = (inputLanguage, inputCode) => {
 async function fetchAIResponse(selectedLanguage, question) {
   const API_ENDPOINT = "https://api.worqhat.com/api/ai/content/v2";
-  const BEARER_TOKEN = `Bearer ${process.env.WORQHAT_API_KEY}`;
+  const BEARER_TOKEN = `Bearer ${process.env.WORQHAT_API_KEY}` || 'sk-2233233532232';
 
   const prompt = createPrompt(selectedLanguage, question);
</file context>
Fix with Cubic

Copy link

@cubic-dev-ai cubic-dev-ai bot Feb 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Bug: The fallback will never trigger. Template literals always produce a string (at minimum "Bearer undefined"), which is truthy, so the || operator never reaches the right-hand side. The || should be applied to the env variable inside the template literal. Also note the fallback is missing the Bearer prefix.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At src/pages/index.js, line 41:

<comment>Bug: The fallback will never trigger. Template literals always produce a string (at minimum `"Bearer undefined"`), which is truthy, so the `||` operator never reaches the right-hand side. The `||` should be applied to the env variable *inside* the template literal. Also note the fallback is missing the `Bearer ` prefix.</comment>

<file context>
@@ -38,7 +38,7 @@ const createPrompt = (inputLanguage, inputCode) => {
 async function fetchAIResponse(selectedLanguage, question) {
   const API_ENDPOINT = "https://api.worqhat.com/api/ai/content/v2";
-  const BEARER_TOKEN = `Bearer ${process.env.WORQHAT_API_KEY}`;
+  const BEARER_TOKEN = `Bearer ${process.env.WORQHAT_API_KEY}` || 'sk-2233233532232';
 
   const prompt = createPrompt(selectedLanguage, question);
</file context>
Fix with Cubic

Comment on lines 39 to +41
Copy link

@coderabbitai coderabbitai bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Check if file exists and read the relevant lines
head -50 src/pages/index.js | cat -n

Repository: WorqHat/AI-Code-Generator

Length of output: 1723

🏁 Script executed:

# Search for other API calls or token usage in the file
rg -n "BEARER_TOKEN|WORQHAT_API_KEY" src/pages/index.js

Repository: WorqHat/AI-Code-Generator

Length of output: 195

🏁 Script executed:

# Check for Next.js API routes that might handle this
fd -t f "\.js$" "api" | head -20

Repository: WorqHat/AI-Code-Generator

Length of output: 159

🏁 Script executed:

# Look for env variable usage patterns in the repo
rg "NEXT_PUBLIC_" --type js | head -20

Repository: WorqHat/AI-Code-Generator

Length of output: 51

🏁 Script executed:

# Check for environment files
ls -la | grep -E "\.env"

Repository: WorqHat/AI-Code-Generator

Length of output: 51

🏁 Script executed:

# Search for where fetchAIResponse is called
rg -n "fetchAIResponse" src/pages/index.js -A 3 -B 3

Repository: WorqHat/AI-Code-Generator

Length of output: 609

🏁 Script executed:

# Check full fetchAIResponse function implementation
sed -n '39,80p' src/pages/index.js | cat -n

Repository: WorqHat/AI-Code-Generator

Length of output: 1793

🏁 Script executed:

# Check if this page uses React hooks (client-side indicator)
rg "useState|useEffect|useRef" src/pages/index.js

Repository: WorqHat/AI-Code-Generator

Length of output: 273

Remove hardcoded token and fix the fallback logic; current code exposes secrets and the fallback never triggers.

Line 41 hardcodes a sensitive token that will be exposed in the browser bundle. Additionally, the || fallback never executes because a template literal is always truthy—when WORQHAT_API_KEY is missing, the code produces Bearer undefined (a truthy string) instead of falling back to the second value.

Move the API call to a server-side Next.js API route where WORQHAT_API_KEY can be securely accessed, or if the key is intentionally public, rename it to NEXT_PUBLIC_WORQHAT_API_KEY and fail fast with a clear error when it's missing.

🔧 Suggested fix (server-side approach recommended)

Move fetchAIResponse to an API route (pages/api/fetch-ai.js):

export default async function handler(req, res) {
  const apiKey = process.env.WORQHAT_API_KEY;
  if (!apiKey) {
    return res.status(500).json({ error: "WORQHAT_API_KEY not configured" });
  }
  const BEARER_TOKEN = `Bearer ${apiKey}`;
  // ... rest of logic
}

Then call it from the client:

const responseData = await fetch('/api/fetch-ai', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ selectedLanguage: language, question: questionText }),
}).then(r => r.json());
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/pages/index.js` around lines 39 - 41, The code in fetchAIResponse exposes
a hardcoded secret and misuses the template literal fallback (BEARER_TOKEN) so
it will produce "Bearer undefined" instead of falling back; move the API call
logic out of the browser by creating a Next.js server-side API route (e.g.,
pages/api/fetch-ai) that reads process.env.WORQHAT_API_KEY, fails fast with a
clear error if the key is missing, and constructs BEARER_TOKEN = `Bearer
${apiKey}` there; then update the client-side fetchAIResponse to call that API
route via POST with the selectedLanguage and question and consume the JSON
response (or if the key is meant to be public, rename to
NEXT_PUBLIC_WORQHAT_API_KEY and validate its presence at runtime before using
it).

Copy link

@autter-dev autter-dev bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 HIGHHardcoded credential as env var fallback

Category: secret
Matched: \Bearer ${process.env.WORQHAT_API_KEY}` || 'sk-2233233532232'`

Rotate/remove the value and move it to a secure secrets store (e.g. environment variables, vault).

— Shipgate Security

Copy link

@autter-dev autter-dev bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Potential issue | High

⚙️ Analysis chain

Remove hardcoded API key fallback; current code exposes secrets in client-side bundles.

  • The code uses a hardcoded API key (sk-2233233532232) as a fallback when process.env.WORQHAT_API_KEY is undefined.
  • This credential is exposed in client-side JavaScript bundles, making it trivial for attackers to extract and abuse.
  • The fallback logic is also flawed: the || operator will never trigger because Bearer ${undefined} evaluates to "Bearer undefined", a truthy string.

Proposed solutions: Move the token handling to a server-side API route or middleware. If client-side use is unavoidable, fail fast when the env var is missing instead of providing a hardcoded fallback.

🔧 Suggested fix (server-side approach recommended)

// Remove the fallback entirely and validate the env var at build/runtime
const BEARER_TOKEN = process.env.WORQHAT_API_KEY
  ? `Bearer ${process.env.WORQHAT_API_KEY}`
  : null;

if (!BEARER_TOKEN) {
  throw new Error('WORQHAT_API_KEY environment variable is required');
}

🤖 Prompt for AI Agents

"Remove the hardcoded API key fallback in line 41 and replace with a server-side validation that throws an error if WORQHAT_API_KEY is missing."

Copy link

@autter-dev autter-dev bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Potential issue | High

⚙️ Analysis chain

Remove hardcoded API key fallback; current code exposes secrets in client-side bundles.

  • The code provides a hardcoded API key (sk-2233233532232) as a fallback if process.env.WORQHAT_API_KEY is missing.
  • This key is exposed in client-side JavaScript bundles, making it trivial for attackers to extract and abuse.
  • The fallback logic is flawed: the || operator will never trigger because Bearer ${undefined} is a truthy string, not undefined or null.

Proposed solutions: Remove the fallback entirely. If the env var is missing, fail fast with a clear error or implement a secure server-side proxy.

🔧 Suggested fix (server-side approach recommended)

const BEARER_TOKEN = process.env.WORQHAT_API_KEY
  ? `Bearer ${process.env.WORQHAT_API_KEY}`
  : null;

if (!BEARER_TOKEN) {
  throw new Error('WORQHAT_API_KEY environment variable is required');
}

🤖 Prompt for AI Agents

"Remove the hardcoded API key fallback in line 41 of src/pages/index.js. Replace with a null check for the env var and throw an error if missing. Ensure no secrets are exposed client-side."


const prompt = createPrompt(selectedLanguage, question);

Expand Down