Critical: Secrets management vulnerabilities and risk of accidental credential leakage

[iamitprakash]

Summary

There are multiple high-risk issues related to secrets management and the handling of sensitive credentials in the repository. The current setup exposes the project to potential accidental leakage of Firebase service accounts, JWT private keys, and other critical secrets. Several scripts print secrets to logs, and sensitive values are read from potentially committed files, increasing exposure risk.

Details and Evidence

1. Secrets in .env.local & Service Account Storage

   • Scripts (e.g., scripts/test-firestore.ts, scripts/inspect-*.ts, etc.) load FIRESTORE_CONFIG from .env.local, JSON-parse it, and use it as a service account. If .env.local is committed or mishandled, this leaks full Firebase admin access.
   • Many scripts pattern: read .env.local → set process.env.
   • Risk: If secrets/service account JSON or private keys are ever committed or leaked in logs, attackers can take over the backend, data, or billing.

2. Secret Logging in Scripts

   • Key material and service account metadata are printed with console.log. Example cases:
     • scripts/convert-key.ts: logs contents of the public/private key.
     • scripts/test-firestore.ts: prints email, project, and potentially entire service account objects.
   • Risk: If run in CI or output is captured, secrets may be disclosed unintentionally.

3. JWT Key Confusion: Private/Public Key Handling

   • Docs (README.md, TODO.md): mix up instructions about storing JWT private keys vs. public keys, warning to "use PUBLIC KEY for verification," but some scripts read "private" keys or instruct users to add private keys.
   • Risk: If verification logic uses private key or distributes it, tokens could be forged or secrets leaked.

4. Hardcoded IDs and Credentials in Code

   • Example: src/lib/users.ts with ROOT_USER_IDS = ['XAF7rSUvk4p0d098qWYS'], users/test values in scripts.
   • Risk: Hardcoded sensitive IDs may allow for privilege mapping or intentional misuse if code is ever public.

Recommendations

• Add .env.local to .gitignore and check for any accidental commits of secrets—rotate any keys that have leaked, including service account JSON.
• Remove console.log statements that print secrets or sensitive data—replace with masked or length/log-only info.
• Enforce best-practice secret management: use GCP Secret Manager or another provider for service account keys (never check into code or store in shared env files).
• Audit all scripts for any accidental logs or manipulations of secrets before use in CI or public logs.
• Clarify JWT usage to ensure private key is ONLY used for signing, public key ONLY for verification.
• Conduct a repo-wide scan with tools like gitleaks, truffleHog, or detect-secrets.
• Review and harden Firestore security rules for excessive permissiveness or potential data exfiltration.

---

References (file paths with problems)

• scripts/test-firestore.ts, scripts/convert-key.ts, scripts/inspect-*, .env.local, documentation files (README.md, TODO.md)

Severity: Critical, should be addressed before any public distribution or addition of contributors.

Additional details and tailored patches available on request.