fix: remove hardcoded Google OAuth credentials + clean repo#6
fix: remove hardcoded Google OAuth credentials + clean repo#6
Conversation
…ed .txt files - Replaced ANTIGRAVITY_CLIENT_ID/SECRET with env var getters - Removed 5MB of unrelated Swift test code files - These were flagged by GitHub secret scanning as containing false positives
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request focuses on enhancing the security and cleanliness of the repository. It addresses the critical issue of hardcoded credentials by switching to environment variables, removes unnecessary files to reduce the repo size, and ensures that no secrets are exposed in the repository's history. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request successfully removes hardcoded Google OAuth credentials, replacing them with environment variables, which is a great security improvement. It also adds new documentation and a large Rust module for monitoring API usage. My review focuses on improving the robustness and maintainability of the new Rust code and fixing some issues in the new documentation files. Specifically, I've pointed out areas with brittle error handling, hardcoded values that should be constants, and incorrect information in the documentation.
| match response { | ||
| Ok(res) => { | ||
| if res.status().is_success() { | ||
| let body = res.text().await.unwrap_or_default(); |
There was a problem hiding this comment.
Using unwrap_or_default() here hides potential errors when reading the response body. If res.text().await fails, the function will proceed with an empty string, which will then cause serde_json::from_str to fail (though that error is also suppressed by unwrap_or). This can lead to silent failures where the function appears to succeed but returns mock data, even when a real error occurred. The error should be handled explicitly.
|
|
||
| ## Project Overview | ||
|
|
||
| **Location:** `E:/scripts-python/ai-monitor` |
There was a problem hiding this comment.
The file path E:/scripts-python/ai-monitor is a hardcoded absolute path specific to a local machine. This is not portable and exposes information about the local file system. It should be replaced with a relative path, a placeholder, or removed if not essential.
| **Location:** `E:/scripts-python/ai-monitor` | |
| **Location:** `<project-root>` |
|
|
||
| ```bash | ||
| # Instalar dependencias | ||
| npm test |
There was a problem hiding this comment.
The command under # Instalar dependencias (Install dependencies) should be npm install to install dependencies, not npm test which runs tests.
| npm test | |
| npm install |
| if diff > 10.0 { | ||
| Some(UsagePace { | ||
| percentage: diff, | ||
| label: "ahead".to_string(), | ||
| emoji: "Ôåæ".to_string(), | ||
| }) | ||
| } else if diff < -10.0 { | ||
| Some(UsagePace { | ||
| percentage: diff.abs(), | ||
| label: "behind".to_string(), | ||
| emoji: "Ôåô".to_string(), | ||
| }) | ||
| } else { | ||
| Some(UsagePace { | ||
| percentage: 0.0, | ||
| label: "on_track".to_string(), | ||
| emoji: "Ô£ô".to_string(), | ||
| }) | ||
| } |
There was a problem hiding this comment.
The emoji strings appear to be garbled, likely due to an encoding issue. These will not render as the intended emojis. They should be replaced with the actual Unicode emoji characters for 'ahead', 'behind', and 'on_track'.
| if diff > 10.0 { | |
| Some(UsagePace { | |
| percentage: diff, | |
| label: "ahead".to_string(), | |
| emoji: "Ôåæ".to_string(), | |
| }) | |
| } else if diff < -10.0 { | |
| Some(UsagePace { | |
| percentage: diff.abs(), | |
| label: "behind".to_string(), | |
| emoji: "Ôåô".to_string(), | |
| }) | |
| } else { | |
| Some(UsagePace { | |
| percentage: 0.0, | |
| label: "on_track".to_string(), | |
| emoji: "Ô£ô".to_string(), | |
| }) | |
| } | |
| if diff > 10.0 { | |
| Some(UsagePace { | |
| percentage: diff, | |
| label: "ahead".to_string(), | |
| emoji: "🚀".to_string(), | |
| }) | |
| } else if diff < -10.0 { | |
| Some(UsagePace { | |
| percentage: diff.abs(), | |
| label: "behind".to_string(), | |
| emoji: "🐢".to_string(), | |
| }) | |
| } else { | |
| Some(UsagePace { | |
| percentage: 0.0, | |
| label: "on_track".to_string(), | |
| emoji: "✅".to_string(), | |
| }) | |
| } |
| let response = client | ||
| .get("https://chatgpt.com/backend-api/accounts/check/v4-2023-04-27") | ||
| .header("Authorization", format!("Bearer {}", token)) | ||
| .header("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36") |
There was a problem hiding this comment.
This User-Agent string is hardcoded. It's better to define it as a constant to improve maintainability and avoid magic strings. This also makes it easier to update if needed.
| fn get_google_client_id() -> String { | ||
| std::env::var("GOOGLE_CLIENT_ID").unwrap_or_else(|_| "YOUR_GOOGLE_CLIENT_ID".to_string()) | ||
| } | ||
| fn get_google_client_secret() -> String { | ||
| std::env::var("GOOGLE_CLIENT_SECRET").unwrap_or_else(|_| "YOUR_GOOGLE_CLIENT_SECRET".to_string()) | ||
| } |
There was a problem hiding this comment.
Using unwrap_or_else to provide placeholder credentials when environment variables are not set can lead to confusing runtime errors, as the application will try to authenticate with invalid credentials. It's better to fail fast at startup if these environment variables are required. Using .expect() will cause the application to panic with a clear error message, immediately indicating the configuration issue.
| fn get_google_client_id() -> String { | |
| std::env::var("GOOGLE_CLIENT_ID").unwrap_or_else(|_| "YOUR_GOOGLE_CLIENT_ID".to_string()) | |
| } | |
| fn get_google_client_secret() -> String { | |
| std::env::var("GOOGLE_CLIENT_SECRET").unwrap_or_else(|_| "YOUR_GOOGLE_CLIENT_SECRET".to_string()) | |
| } | |
| fn get_google_client_id() -> String { | |
| std::env::var("GOOGLE_CLIENT_ID").expect("GOOGLE_CLIENT_ID must be set") | |
| } | |
| fn get_google_client_secret() -> String { | |
| std::env::var("GOOGLE_CLIENT_SECRET").expect("GOOGLE_CLIENT_SECRET must be set") | |
| } |
| match refresh_google_token(token_or_refresh, &get_google_client_id(), &get_google_client_secret()).await { | ||
| Ok(t) => t, | ||
| Err(e) => { | ||
| let is_unauthorized_client = e.to_lowercase().contains("unauthorized_client"); |
There was a problem hiding this comment.
Checking for substrings in a formatted error string (e.to_lowercase().contains("unauthorized_client")) is brittle and can break if the error message format changes. A more robust approach would be to have refresh_google_token return a structured error. The error response from Google's token endpoint is typically JSON, which can be parsed to extract a specific error code (e.g., unauthorized_client). This would allow for more reliable error handling.
| token_or_refresh.to_string() | ||
| }; | ||
|
|
||
| let user_agent = "antigravity/1.11.3 Darwin/arm64"; |
There was a problem hiding this comment.
This User-Agent string is hardcoded. It's better to define it as a constant to improve maintainability and avoid magic strings. This also makes it easier to update if needed.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
- ESLint configured via security-quality-fixer - npm audit fix applied - Daily security fix 2026-03-23
1 participant
Summary
Changes