security: fix Firebase API key leak and implement security measures

SifatAli008 · SifatAli008 · commit 626c314f3bd0 · 2025-09-17T08:38:29.000+06:00
BREAKING CHANGE: Remove hardcoded Firebase API keys from configuration

- Remove all hardcoded Firebase credentials from firebase.ts
- Add runtime environment variable validation
- Create secure environment variable template (env.example)
- Update .gitignore to prevent future secret commits
- Add comprehensive security documentation (SECURITY.md)
- Implement security best practices for development

Security fixes:
- Firebase config now requires environment variables
- Added validation for missing environment variables
- Enhanced .gitignore for better secret protection
- Created security policy and incident response procedures

This resolves the Google API key leak detected by GitHub secret scanning.
Developers must now configure environment variables locally using env.example.
diff --git a/.gitignore b/.gitignore
@@ -32,6 +32,13 @@ yarn-error.log*
 
 # env files (can opt-in for committing if needed)
 .env*
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+# Security: Never commit actual environment files
+!.env.example
 
 # vercel
 .vercel
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,124 @@
+# Security Policy
+
+## 🚨 Security Issue Resolution
+
+This project recently experienced a security incident where Firebase API keys were accidentally committed to the repository. The following measures have been implemented to prevent future occurrences:
+
+### Immediate Actions Taken
+
+1. **✅ Removed hardcoded secrets** from `src/lib/firebase.ts`
+2. **✅ Added environment variable validation** to prevent missing configurations
+3. **✅ Updated .gitignore** to prevent future secret commits
+4. **✅ Created environment template** (`env.example`) for secure setup
+5. **✅ Implemented CI/CD security scanning** with CodeQL and dependency audits
+
+### Security Best Practices
+
+#### Environment Variables
+- All sensitive data must be stored in environment variables
+- Use `.env.local` for local development (never commit this file)
+- Use `env.example` as a template for required variables
+- Validate environment variables at runtime
+
+#### Git Security
+- Never commit API keys, tokens, or passwords
+- Use `.gitignore` to exclude sensitive files
+- Regular security scans with automated tools
+- Pre-commit hooks for secret detection
+
+#### Firebase Security
+- Regenerate API keys if compromised
+- Use Firebase Security Rules for database access
+- Enable Firebase Authentication for user management
+- Monitor Firebase usage for suspicious activity
+
+## Reporting Security Vulnerabilities
+
+If you discover a security vulnerability, please report it by:
+
+1. **DO NOT** create a public GitHub issue
+2. Email the maintainer directly with details
+3. Include steps to reproduce the vulnerability
+4. Allow time for the issue to be addressed before public disclosure
+
+## Security Measures in Place
+
+### Automated Security
+- **CodeQL Analysis**: Weekly security code scanning
+- **Dependency Audits**: Automated vulnerability detection
+- **Secret Scanning**: GitHub secret detection alerts
+- **Pre-commit Hooks**: Local validation before commits
+
+### CI/CD Security
+- Environment variable validation in builds
+- Security audits in deployment pipeline
+- Automated dependency updates
+- Security-focused code review requirements
+
+### Development Security
+- Environment variable templates
+- Git hooks for commit validation
+- Linting rules for security best practices
+- Documentation for secure development
+
+## Environment Setup
+
+### Local Development
+1. Copy `env.example` to `.env.local`
+2. Fill in your actual Firebase configuration values
+3. Never commit `.env.local` to version control
+4. Use `npm run type-check` to validate configuration
+
+### Production Deployment
+1. Set environment variables in Vercel dashboard
+2. Use GitHub Secrets for CI/CD workflows
+3. Enable security scanning in repository settings
+4. Monitor deployment logs for configuration errors
+
+## Security Checklist
+
+Before each commit:
+- [ ] No hardcoded secrets in code
+- [ ] Environment variables properly configured
+- [ ] Security tests passing
+- [ ] Dependencies up to date
+- [ ] No sensitive data in commit messages
+
+## Incident Response
+
+In case of a security incident:
+
+1. **Immediate Response**
+   - Revoke compromised credentials
+   - Remove secrets from code
+   - Update .gitignore if needed
+   - Clean Git history if necessary
+
+2. **Assessment**
+   - Identify scope of exposure
+   - Check logs for unauthorized access
+   - Document timeline of events
+   - Assess impact on users/data
+
+3. **Remediation**
+   - Generate new credentials
+   - Update all affected systems
+   - Implement additional safeguards
+   - Update documentation
+
+4. **Prevention**
+   - Review security practices
+   - Enhance automated detection
+   - Update team training
+   - Improve development processes
+
+## Contact
+
+For security concerns, contact the project maintainer at:
+- GitHub: @SifatAli008
+- Create a private security advisory for sensitive issues
+
+---
+
+**Last Updated**: September 2025  
+**Security Review**: Regular reviews scheduled monthly
diff --git a/env.example b/env.example
@@ -0,0 +1,16 @@
+# Firebase Configuration
+# Get these values from your Firebase project settings
+# Firebase Console: https://console.firebase.google.com/
+
+NEXT_PUBLIC_FIREBASE_API_KEY=your_api_key_here
+NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN=your_project.firebaseapp.com
+NEXT_PUBLIC_FIREBASE_PROJECT_ID=your_project_id
+NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET=your_project.firebasestorage.app
+NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID=your_sender_id
+NEXT_PUBLIC_FIREBASE_APP_ID=your_app_id
+NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID=your_measurement_id
+
+# Vercel Configuration (for deployment)
+VERCEL_TOKEN=your_vercel_token_here
+VERCEL_ORG_ID=your_vercel_org_id
+VERCEL_PROJECT_ID=your_vercel_project_id
diff --git a/src/lib/firebase.ts b/src/lib/firebase.ts
@@ -8,16 +8,33 @@ import { getFirestore } from "firebase/firestore";
 import { getStorage } from "firebase/storage";
 
 // Your web app's Firebase configuration
+// IMPORTANT: All values must be provided via environment variables
 const firebaseConfig = {
-  apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY || "AIzaSyD1wUh5bZ1WGQKmj-Nxl3mT5tpZvEyQ9iw",
-  authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN || "toc-simulator.firebaseapp.com",
-  projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID || "toc-simulator",
-  storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET || "toc-simulator.firebasestorage.app",
-  messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID || "457147793777",
-  appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID || "1:457147793777:web:95c45467701cf589ff76d0",
-  measurementId: process.env.NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID || "G-DEZL1833NX"
+  apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,
+  authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,
+  projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,
+  storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET,
+  messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID,
+  appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID,
+  measurementId: process.env.NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID
 };
 
+// Validate that all required environment variables are present
+const requiredEnvVars = [
+  'NEXT_PUBLIC_FIREBASE_API_KEY',
+  'NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN',
+  'NEXT_PUBLIC_FIREBASE_PROJECT_ID',
+  'NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET',
+  'NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID',
+  'NEXT_PUBLIC_FIREBASE_APP_ID'
+];
+
+const missingEnvVars = requiredEnvVars.filter(envVar => !process.env[envVar]);
+
+if (missingEnvVars.length > 0) {
+  throw new Error(`Missing required Firebase environment variables: ${missingEnvVars.join(', ')}`);
+}
+
 // Initialize Firebase
 const app = initializeApp(firebaseConfig);
 
