fix(security): obscur secrets with env variables

Author: dvcol

.github/actions/build/action.yml

@@ -13,6 +13,32 @@ inputs:
     description: Node version to use
     required: true
 
+  trakt_production_id:
+    description: Trakt production ID
+    required: true
+  trakt_production_secret:
+    description: Trakt production secret
+    required: true
+
+  trakt_staging_id:
+    description: Trakt staging ID
+    required: true
+  trakt_staging_secret:
+    description: Trakt staging secret
+    required: true
+
+  tmdb_api_key:
+    description: TMDB API key
+    required: true
+  tmdb_read_token:
+    description: TMDB read token
+    required: true
+
+  tvdb_api_key:
+    description: TVDB API key
+    required: true
+
+
 runs:
   using: composite
   steps:
@@ -24,6 +50,17 @@ runs:
 
     - name: 🚧 Build sources
       shell: bash
+      env:
+        VITE_TRAKT_PRODUCTION_ID: ${{ inputs.trakt_production_id }}
+        VITE_TRAKT_PRODUCTION_SECRET: ${{ inputs.trakt_production_secret }}
+
+        VITE_TRAKT_STAGING_ID: ${{ inputs.trakt_staging_id }}
+        VITE_TRAKT_STAGING_SECRET: ${{ inputs.trakt_staging_secret }}
+
+        VITE_TMDB_API_KEY: ${{ inputs.tmdb_api_key }}
+        VITE_TMDB_READ_TOKEN: ${{ inputs.tmdb_read_token }}
+
+        VITE_TVDB_API_KEY: ${{ inputs.tvdb_api_key }}
       run: |
         # =================  🚧 Build  =================
         pnpm run ${{ inputs.script }}

.github/workflows/build.yml

@@ -33,6 +33,17 @@ jobs:
           node_version: ${{ env.node_version }}
           pnpm_version: ${{ env.pnpm_version }}
 
+          trakt_production_id: ${{ secrets.VITE_TRAKT_PRODUCTION_ID }}
+          trakt_production_secret: ${{ secrets.VITE_TRAKT_PRODUCTION_SECRET }}
+
+          trakt_staging_id: ${{ secrets.VITE_TRAKT_STAGING_ID }}
+          trakt_staging_secret: ${{ secrets.VITE_TRAKT_STAGING_SECRET }}
+
+          tmdb_api_key: ${{ secrets.VITE_TMDB_API_KEY }}
+          tmdb_read_token: ${{ secrets.VITE_TMDB_READ_TOKEN }}
+
+          tvdb_api_key: ${{ secrets.VITE_TVDB_API_KEY }}
+
   build-web:
     name: ☁️ Build Web
     runs-on: ubuntu-latest
@@ -48,6 +59,17 @@ jobs:
           node_version: ${{ env.node_version }}
           pnpm_version: ${{ env.pnpm_version }}
 
+          trakt_production_id: ${{ secrets.VITE_TRAKT_PRODUCTION_ID }}
+          trakt_production_secret: ${{ secrets.VITE_TRAKT_PRODUCTION_SECRET }}
+
+          trakt_staging_id: ${{ secrets.VITE_TRAKT_STAGING_ID }}
+          trakt_staging_secret: ${{ secrets.VITE_TRAKT_STAGING_SECRET }}
+
+          tmdb_api_key: ${{ secrets.VITE_TMDB_API_KEY }}
+          tmdb_read_token: ${{ secrets.VITE_TMDB_READ_TOKEN }}
+
+          tvdb_api_key: ${{ secrets.VITE_TVDB_API_KEY }}
+
   test:
     name: 🧪 Unit Test
     runs-on: ubuntu-latest

.github/workflows/deploy.yml

@@ -51,6 +51,17 @@ jobs:
           node_version: ${{ env.node_version }}
           pnpm_version: ${{ env.pnpm_version }}
 
+          trakt_production_id: ${{ secrets.VITE_TRAKT_PRODUCTION_ID }}
+          trakt_production_secret: ${{ secrets.VITE_TRAKT_PRODUCTION_SECRET }}
+
+          trakt_staging_id: ${{ secrets.VITE_TRAKT_STAGING_ID }}
+          trakt_staging_secret: ${{ secrets.VITE_TRAKT_STAGING_SECRET }}
+
+          tmdb_api_key: ${{ secrets.VITE_TMDB_API_KEY }}
+          tmdb_read_token: ${{ secrets.VITE_TMDB_READ_TOKEN }}
+
+          tvdb_api_key: ${{ secrets.VITE_TVDB_API_KEY }}
+
       - name: 🏗️ Setup Pages
         uses: actions/configure-pages@v5
 

.github/workflows/publish.yml

@@ -42,6 +42,17 @@ jobs:
           node_version: ${{ env.node_version }}
           pnpm_version: ${{ env.pnpm_version }}
 
+          trakt_production_id: ${{ secrets.VITE_TRAKT_PRODUCTION_ID }}
+          trakt_production_secret: ${{ secrets.VITE_TRAKT_PRODUCTION_SECRET }}
+
+          trakt_staging_id: ${{ secrets.VITE_TRAKT_STAGING_ID }}
+          trakt_staging_secret: ${{ secrets.VITE_TRAKT_STAGING_SECRET }}
+
+          tmdb_api_key: ${{ secrets.VITE_TMDB_API_KEY }}
+          tmdb_read_token: ${{ secrets.VITE_TMDB_READ_TOKEN }}
+
+          tvdb_api_key: ${{ secrets.VITE_TVDB_API_KEY }}
+
       - name: 💾 Restore build artefacts
         uses: actions/cache/save@v4
         id: cache
@@ -77,6 +88,17 @@ jobs:
           node_version: ${{ env.node_version }}
           pnpm_version: ${{ env.pnpm_version }}
 
+          trakt_production_id: ${{ secrets.VITE_TRAKT_PRODUCTION_ID }}
+          trakt_production_secret: ${{ secrets.VITE_TRAKT_PRODUCTION_SECRET }}
+
+          trakt_staging_id: ${{ secrets.VITE_TRAKT_STAGING_ID }}
+          trakt_staging_secret: ${{ secrets.VITE_TRAKT_STAGING_SECRET }}
+
+          tmdb_api_key: ${{ secrets.VITE_TMDB_API_KEY }}
+          tmdb_read_token: ${{ secrets.VITE_TMDB_READ_TOKEN }}
+
+          tvdb_api_key: ${{ secrets.VITE_TVDB_API_KEY }}
+
       - name: 🗃️ Zip build folder
         run: |
           # =================  🗃️ Zipping build folder  =================

.gitignore

@@ -114,3 +114,6 @@ dist
 *.njsproj
 *.sln
 *.sw?
+
+#env files
+.env.local

env.d.ts

@@ -6,5 +6,16 @@ interface ImportMeta {
     VITE_BASE?: string;
     VITE_WEB?: boolean;
     VITE_SOURCEMAP?: boolean;
+
+    VITE_TRAKT_PRODUCTION_ID: string;
+    VITE_TRAKT_PRODUCTION_SECRET: string;
+
+    VITE_TRAKT_STAGING_ID: string;
+    VITE_TRAKT_STAGING_SECRET: string;
+
+    VITE_TMDB_API_KEY: string;
+    VITE_TMDB_READ_TOKEN: string;
+
+    VITE_TVDB_API_KEY: string;
   };
 }

src/settings/tmdb.api.ts

@@ -3,9 +3,8 @@ import type { TmdbClientSettings } from '~/models/tmdb/tmdb-client.model';
 export const Config = {
   UserAgent: `${import.meta.env.PKG_NAME}/${import.meta.env.PKG_VERSION}`,
   endpoint: 'https://api.themoviedb.org',
-  apiKey: '2ba5f96dda8c09e647721c23b69a3533',
-  readToken:
-    'eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiIyYmE1Zjk2ZGRhOGMwOWU2NDc3MjFjMjNiNjlhMzUzMyIsInN1YiI6IjY1YjY3MzUwMWM2MzViMDE2MjE0MGRkMyIsInNjb3BlcyI6WyJhcGlfcmVhZCJdLCJ2ZXJzaW9uIjoxfQ.lcJ-RqF9ELLotwyrPze7Q-fRyTJhDxrxad1LxHpYdwY',
+  apiKey: import.meta.env.VITE_TMDB_API_KEY,
+  readToken: import.meta.env.VITE_TMDB_READ_TOKEN,
   requestTokenTTL: 15 * 60 * 1000,
   requestTokenUrl: 'https://www.themoviedb.org/auth/access?request_token=',
 } as const;

src/settings/traktv.api.ts

@@ -8,15 +8,15 @@ export const Config = {
 };
 
 export const Production = {
-  ID: '4f2745eb6a58949bd35f4948b70d0dd7184462841052fa11f24d85edc1256a22',
-  Secret: '322d3d1a6d6d9214a1fc120903c8722b266e7643bd708e437ddbb68f5c737fa2',
+  ID: import.meta.env.VITE_TRAKT_PRODUCTION_ID,
+  Secret: import.meta.env.VITE_TRAKT_PRODUCTION_SECRET,
   TraktEndpoint: 'https://api.trakt.tv',
   RedirectionUrl: `chrome-extension://${chromeRuntimeId}/views/options/index.html`,
 } as const;
 
 export const Staging = {
-  ID: 'e3fe38d76cbd787f74ada8f043a69dfc8b20a86569e51ee125bf0c084d6c553c',
-  Secret: '14780b6623c64337f442b06603a5484b9422c4fe3ced7e109a1e0f795a708752',
+  ID: import.meta.env.VITE_TRAKT_STAGING_ID,
+  Secret: import.meta.env.VITE_TRAKT_STAGING_SECRET,
   TraktEndpoint: 'https://api-staging.trakt.tv',
   RedirectionUrl: `chrome-extension://${chromeRuntimeId}/views/options/index.html`,
 } as const;

src/settings/tvdb.api.ts

@@ -4,7 +4,7 @@ export const Config = {
   UserAgent: `${import.meta.env.PKG_NAME}/${import.meta.env.PKG_VERSION}`,
   endpoint: 'https://api4.thetvdb.com',
   version: 'v4',
-  apiKey: '7633408c-e021-43a5-a04a-9f057ab68880',
+  apiKey: import.meta.env.VITE_TVDB_API_KEY,
   /** token time-to-live (28 days) @see [documentation]{@link https://thetvdb.github.io/v4-api/#/Login/post_login} */
   tokenTTL: 28 * 24 * 60 * 60 * 1000,
 } as const;

vite.config.ts

@@ -113,6 +113,7 @@ const getPlugins = (): PluginOption[] => [
 
 export default defineConfig(() => ({
   root: resolveParent('src'),
+  envDir: resolveParent('env'),
   resolve: {
     alias: {
       '~': fileURLToPath(new URL('./src', import.meta.url)),