Phrase Key Leaked

[baileyparker]

FYI: you leak your Phrase API key in your gulp file.

tutanota/web/gulpfile.js

Lines 341 to 347 in 82c96bf

	request('https://phraseapp.com/api/v1/locales?auth_token=64b1dce0ec448d21ec25816186cded22', function (error, response, body) {
	if (!error && response.statusCode == 200) {
	var languages = JSON.parse(body);
	// download each language
	return async.eachSeries(languages, function(lang, callback) {
	// lang is an object eg. {"id": 122, "name": "german", "code": "de-DE", "country_code": "de", "writing_direction": "ltr"}
	request('https://phraseapp.com/api/v1/translations/download?auth_token=64b1dce0ec448d21ec25816186cded22&locale='+ lang.name +'&format=simple_json', function(error, response, body) {

I'm assuming this was accidental, but unsure if this can do any harm beyond hitting rate limits. Regardless, you probably want to change this and replace it with an environment variable.

[armhub]

Thanks for the hint. But with this key you can only download the translations and it is not possible to make any changes. As all translations are public anyway, I guess we do not have to hide this key.