Sanitize secrets and env usage

lovable-dev[bot] · lovable-dev[bot] · commit d08d9324d890 · 2026-01-10T19:12:13.000Z
- Remove hardcoded anon keys and project URLs scattered across codebase
- Replace hardcoded URLs with environment variables
- Delete vulnerable archived migration and align mcp-server with env-based config
- Ensure all openapi/docs reflect env-based base URLs for production safety

X-Lovable-Edit-ID: edt-ebbb96e9-1dd6-46de-8b45-fc8052bf2b04
diff --git a/mcp-server/.env.example b/mcp-server/.env.example
@@ -1,4 +1,4 @@
-SUPABASE_URL=https://vatgianzotsurljznsry.supabase.co
+SUPABASE_URL=https://your-project-id.supabase.co
 SUPABASE_SERVICE_KEY=your-service-role-key-here
 
 # Optional: Redis caching (Upstash)
diff --git a/mcp-server/src/utils/supabase.ts b/mcp-server/src/utils/supabase.ts
@@ -5,7 +5,7 @@
 import { createClient, SupabaseClient } from "@supabase/supabase-js";
 
 // Supabase configuration from environment
-const SUPABASE_URL = process.env.SUPABASE_URL || "https://vatgianzotsurljznsry.supabase.co";
+const SUPABASE_URL = process.env.SUPABASE_URL || "";
 const SUPABASE_SERVICE_KEY = process.env.SUPABASE_SERVICE_KEY || "";
 
 /**
diff --git a/public/openapi.json b/public/openapi.json
@@ -2,7 +2,7 @@
   "openapi": "3.0.3",
   "info": {
     "title": "Eryxon Flow API",
-    "description": "Production workflow management API for sheet metal manufacturing. This API allows you to manage jobs, parts, tasks, and track production progress through various stages.\n\n## Authentication\n\nAll API requests require an API key. Include your API key in the `Authorization` header:\n\n```\nAuthorization: Bearer ery_live_your_api_key_here\n```\n\n## Getting Started\n\n1. **Generate an API Key**: Navigate to Admin > API Keys in the web interface\n2. **Test the Connection**: Use the `/api-stages` endpoint (read-only) to verify your key works\n3. **Create Your First Job**: Use POST `/api-jobs` to create a job with parts and tasks\n4. **Track Progress**: Use GET endpoints to retrieve and monitor job status\n\n## Rate Limiting\n\nAPI requests are rate-limited based on your subscription plan:\n\n| Plan | Daily Limit |\n|------|-------------|\n| Free | 100 requests/day |\n| Pro | 1,000 requests/day |\n| Premium | 10,000 requests/day |\n| Enterprise | Unlimited |\n\nRate limit information is included in response headers:\n- `X-RateLimit-Remaining`: Remaining requests in current window\n- `X-RateLimit-Reset`: Timestamp when the limit resets\n- `Retry-After`: Seconds until you can retry (when rate limited)\n\nWhen you exceed your rate limit, you'll receive a `429 Too Many Requests` response.\n\n## Base URL\n\n```\nhttps://vatgianzotsurljznsry.supabase.co/functions/v1\n```",
+    "description": "Production workflow management API for sheet metal manufacturing. This API allows you to manage jobs, parts, tasks, and track production progress through various stages.\n\n## Authentication\n\nAll API requests require an API key. Include your API key in the `Authorization` header:\n\n```\nAuthorization: Bearer ery_live_your_api_key_here\n```\n\n## Getting Started\n\n1. **Generate an API Key**: Navigate to Admin > API Keys in the web interface\n2. **Test the Connection**: Use the `/api-stages` endpoint (read-only) to verify your key works\n3. **Create Your First Job**: Use POST `/api-jobs` to create a job with parts and tasks\n4. **Track Progress**: Use GET endpoints to retrieve and monitor job status\n\n## Rate Limiting\n\nAPI requests are rate-limited based on your subscription plan:\n\n| Plan | Daily Limit |\n|------|-------------|\n| Free | 100 requests/day |\n| Pro | 1,000 requests/day |\n| Premium | 10,000 requests/day |\n| Enterprise | Unlimited |\n\nRate limit information is included in response headers:\n- `X-RateLimit-Remaining`: Remaining requests in current window\n- `X-RateLimit-Reset`: Timestamp when the limit resets\n- `Retry-After`: Seconds until you can retry (when rate limited)\n\nWhen you exceed your rate limit, you'll receive a `429 Too Many Requests` response.\n\n## Base URL\n\nThe base URL is your Supabase project URL followed by `/functions/v1`.",
     "version": "1.0.0",
     "contact": {
       "name": "API Support",
@@ -11,8 +11,14 @@
   },
   "servers": [
     {
-      "url": "https://vatgianzotsurljznsry.supabase.co/functions/v1",
-      "description": "Production Server"
+      "url": "{baseUrl}/functions/v1",
+      "description": "Production Server",
+      "variables": {
+        "baseUrl": {
+          "default": "https://your-project-id.supabase.co",
+          "description": "Your Supabase project URL"
+        }
+      }
     }
   ],
   "security": [
diff --git a/src/lib/event-dispatch.ts b/src/lib/event-dispatch.ts
@@ -194,7 +194,7 @@ async function dispatchToWebhooks(
       return { success: false, error: 'Not authenticated' };
     }
 
-    const supabaseUrl = import.meta.env.VITE_SUPABASE_URL || 'https://vatgianzotsurljznsry.supabase.co';
+    const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
 
     const response = await fetch(
       `${supabaseUrl}/functions/v1/webhook-dispatch`,
@@ -242,7 +242,7 @@ async function dispatchToMqtt(
       return { success: false, error: 'Not authenticated' };
     }
 
-    const supabaseUrl = import.meta.env.VITE_SUPABASE_URL || 'https://vatgianzotsurljznsry.supabase.co';
+    const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
 
     const response = await fetch(
       `${supabaseUrl}/functions/v1/mqtt-publish`,
diff --git a/src/lib/mqtt-publishers.ts b/src/lib/mqtt-publishers.ts
@@ -52,7 +52,7 @@ export async function triggerMqttPublish(
       return { success: false, error: 'Not authenticated' };
     }
 
-    const supabaseUrl = import.meta.env.VITE_SUPABASE_URL || 'https://vatgianzotsurljznsry.supabase.co';
+    const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
 
     const response = await fetch(
       `${supabaseUrl}/functions/v1/mqtt-publish`,
diff --git a/src/lib/webhooks.ts b/src/lib/webhooks.ts
@@ -50,8 +50,8 @@ export async function triggerWebhook(
       return { success: false, error: 'Not authenticated' };
     }
 
-    // Get Supabase URL from environment or construct from current origin
-    const supabaseUrl = import.meta.env.VITE_SUPABASE_URL || 'https://vatgianzotsurljznsry.supabase.co';
+    // Get Supabase URL from environment
+    const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
     
     const response = await fetch(
       `${supabaseUrl}/functions/v1/webhook-dispatch`,
diff --git a/src/pages/admin/DataExport.tsx b/src/pages/admin/DataExport.tsx
@@ -72,7 +72,7 @@ export default function DataExport() {
 
       // Call export API
       const entities = selectedEntities.join(',');
-      const supabaseUrl = import.meta.env.VITE_SUPABASE_URL || 'https://vatgianzotsurljznsry.supabase.co';
+      const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
       const response = await fetch(
         `${supabaseUrl}/functions/v1/api-export?entities=${entities}&format=${exportFormat}`,
         {
diff --git a/src/pages/admin/DataImport.tsx b/src/pages/admin/DataImport.tsx
@@ -306,7 +306,7 @@ export default function DataImport() {
       if (!session) throw new Error('Not authenticated');
 
       const transformedData = transformData();
-      const supabaseUrl = import.meta.env.VITE_SUPABASE_URL || 'https://vatgianzotsurljznsry.supabase.co';
+      const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
 
       // Chunk data into batches of 100
       const BATCH_SIZE = 100;
diff --git a/src/pages/admin/config/ApiKeys.tsx b/src/pages/admin/config/ApiKeys.tsx
@@ -77,8 +77,9 @@ export default function ConfigApiKeys() {
       const { data: { session } } = await supabase.auth.getSession();
       if (!session) throw new Error('Not authenticated');
 
+      const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
       const response = await fetch(
-        `https://vatgianzotsurljznsry.supabase.co/functions/v1/api-key-generate`,
+        `${supabaseUrl}/functions/v1/api-key-generate`,
         {
           method: 'POST',
           headers: {
@@ -386,7 +387,7 @@ export default function ConfigApiKeys() {
                   <div className="flex-1">
                     <p className="text-sm font-medium">Base URL</p>
                     <code className="text-xs bg-muted px-2 py-1 rounded block break-all">
-                      https://vatgianzotsurljznsry.supabase.co/functions/v1
+                      {import.meta.env.VITE_SUPABASE_URL}/functions/v1
                     </code>
                   </div>
                 </div>
diff --git a/src/pages/common/ApiDocs.tsx b/src/pages/common/ApiDocs.tsx
@@ -32,7 +32,7 @@ import { useToast } from "@/hooks/use-toast";
 export default function ApiDocs() {
   const { toast } = useToast();
   const [apiKey, setApiKey] = useState("");
-  const baseUrl = import.meta.env.VITE_SUPABASE_URL?.replace('/supabase', '') || "https://vatgianzotsurljznsry.supabase.co";
+  const baseUrl = import.meta.env.VITE_SUPABASE_URL?.replace('/supabase', '') || "";
   const apiBaseUrl = `${baseUrl}/functions/v1`;
 
   const copyToClipboard = (text: string, label: string) => {
diff --git a/supabase/migrations/archive/20251117174506_3cd88d26-53e5-4f85-8e34-68bed96c41ce.sql b/supabase/migrations/archive/20251117174506_3cd88d26-53e5-4f85-8e34-68bed96c41ce.sql

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-SUPABASE_URL=https://vatgianzotsurljznsry.supabase.co`
	`1`	`+SUPABASE_URL=https://your-project-id.supabase.co`
`2`	`2`	`SUPABASE_SERVICE_KEY=your-service-role-key-here`
`3`	`3`
`4`	`4`	`# Optional: Redis caching (Upstash)`
Original file line number	Diff line number	Diff line change
`@@ -194,7 +194,7 @@ async function dispatchToWebhooks(`
`194`	`194`	`return { success: false, error: 'Not authenticated' };`
`195`	`195`	`}`
`196`	`196`
`197`		`- const supabaseUrl = import.meta.env.VITE_SUPABASE_URL \|\| 'https://vatgianzotsurljznsry.supabase.co';`
	`197`	`+ const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;`
`198`	`198`
`199`	`199`	`const response = await fetch(`
`200`	`200`	`${supabaseUrl}/functions/v1/webhook-dispatch`,
`@@ -242,7 +242,7 @@ async function dispatchToMqtt(`
`242`	`242`	`return { success: false, error: 'Not authenticated' };`
`243`	`243`	`}`
`244`	`244`
`245`		`- const supabaseUrl = import.meta.env.VITE_SUPABASE_URL \|\| 'https://vatgianzotsurljznsry.supabase.co';`
	`245`	`+ const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;`
`246`	`246`
`247`	`247`	`const response = await fetch(`
`248`	`248`	`${supabaseUrl}/functions/v1/mqtt-publish`,
Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ export async function triggerMqttPublish(`
`52`	`52`	`return { success: false, error: 'Not authenticated' };`
`53`	`53`	`}`
`54`	`54`
`55`		`- const supabaseUrl = import.meta.env.VITE_SUPABASE_URL \|\| 'https://vatgianzotsurljznsry.supabase.co';`
	`55`	`+ const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;`
`56`	`56`
`57`	`57`	`const response = await fetch(`
`58`	`58`	`${supabaseUrl}/functions/v1/mqtt-publish`,
Original file line number	Diff line number	Diff line change
`@@ -50,8 +50,8 @@ export async function triggerWebhook(`
`50`	`50`	`return { success: false, error: 'Not authenticated' };`
`51`	`51`	`}`
`52`	`52`
`53`		`- // Get Supabase URL from environment or construct from current origin`
`54`		`- const supabaseUrl = import.meta.env.VITE_SUPABASE_URL \|\| 'https://vatgianzotsurljznsry.supabase.co';`
	`53`	`+ // Get Supabase URL from environment`
	`54`	`+ const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;`
`55`	`55`
`56`	`56`	`const response = await fetch(`
`57`	`57`	`${supabaseUrl}/functions/v1/webhook-dispatch`,
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ export default function DataExport() {`
`72`	`72`
`73`	`73`	`// Call export API`
`74`	`74`	`const entities = selectedEntities.join(',');`
`75`		`- const supabaseUrl = import.meta.env.VITE_SUPABASE_URL \|\| 'https://vatgianzotsurljznsry.supabase.co';`
	`75`	`+ const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;`
`76`	`76`	`const response = await fetch(`
`77`	`77`	`${supabaseUrl}/functions/v1/api-export?entities=${entities}&format=${exportFormat}`,
`78`	`78`	`{`