fix: mark client side variable as server side to add security for sensitive env keys#1242
Merged
pranalidhanavade merged 1 commit intomainfrom Sep 23, 2025
Merged
Conversation
…nsitive env keys Signed-off-by: pranalidhanavade <pranali.dhanavade@ayanworks.com>
![ellipsis-dev[bot]](https://avatars.githubusercontent.com/in/64358?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Caution
Changes requested ❌
Reviewed everything up to dce3d5e in 2 minutes and 16 seconds. Click for details.
- Reviewed
191lines of code in7files - Skipped
0files when reviewing. - Skipped posting
3draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. src/app/api/Auth.ts:234
- Draft comment:
There are two encryption functions (async and sync) with similar logic. Consider consolidating them to avoid duplication and potential maintenance issues. - Reason this comment was not posted:
Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 20% vs. threshold = 50% The functions appear to be doing different things - one is a wrapper around an external action that handles sign-in specific encryption with additional params, while the other is a simple password encryption utility. Without seeing the implementation of encryptPasswordActionForSignIn, I can't confirm they use similar logic. The similarity in names doesn't necessarily mean duplicated functionality. I could be wrong about them being different - maybe encryptPasswordActionForSignIn does use the same CryptoJS logic under the hood. The async vs sync difference could be artificial. Even if the underlying encryption is similar, the functions serve different purposes in the codebase based on their signatures and usage patterns. Consolidating them could make the code less clear. The comment should be deleted as there isn't strong evidence that these functions represent problematic duplication - they appear to serve distinct purposes despite similar names.
2. src/features/verification/components/SchemaListUtils.ts:88
- Draft comment:
Ensure that decryptValue is only executed in a secure (server-side) context as it uses CRYPTO_PRIVATE_KEY. Exposing this key in client bundles can be a security risk. - Reason this comment was not posted:
Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 20% vs. threshold = 50% The comment raises a valid security concern, but it starts with "Ensure that..." which violates our rules. Additionally, the code change itself is actually fixing the security issue by moving from a public to private env var. The comment seems to be more of a general warning rather than addressing a specific issue that needs to be fixed. Without seeing where this function is used, we can't definitively say there's a problem. The comment could be identifying a real security risk if this function is used client-side. The code change alone doesn't guarantee proper usage. While the security concern is valid in general, the comment doesn't point to specific evidence of misuse, and the code change itself is actually improving security. Delete the comment because it starts with "Ensure that..." and doesn't point to specific evidence of misuse. The code change itself is actually improving security by removing NEXT_PUBLIC_.
3. src/features/profile/components/Billing.tsx:27
- Draft comment:
Link for the 'PRO' plan has been updated to '/pricing'. Confirm that this change aligns with the intended design. - Reason this comment was not posted:
Confidence changes required:33%<= threshold50%None
Workflow ID: wflow_HBGxF2HX1eLpifj6
You can customize 
pranalidhanavade
changed the title
shitrerohit
approved these changes
Sep 23, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Important
Enhance security by marking sensitive environment keys as server-side and refactor password encryption logic.
CRYPTO_PRIVATE_KEYas server-side only inpasswordActions.tsandAuth.tsto prevent exposure of sensitive keys.decryptValue()inSchemaListUtils.tsto use server-sideCRYPTO_PRIVATE_KEY.encryptPasswordActionForSignInandencryptPasswordActioninpasswordActions.ts.passwordEncryptionwithencryptPasswordActioninSessionManager.tsx.passwordEncryptionwithpasswordEncryptionForSignIninuser-auth-form.tsx./billingto/pricinginBilling.tsx.This description was created by
for dce3d5e. You can customize this summary. It will automatically update as commits are pushed.