Hardcoded Sensitive Credentials

[Aditya8369]

Description: Production/test API keys (Razorpay key_id: rzp_test_BXNSan3NdLPrPa, key_secret: jQLMopwxI1FrtqnrHg3j9e3R) and secret keys (Flask SECRET_KEY, JWT_SECRET_KEY) are hardcoded in backend/config.py. These appear in test files too. This exposes the app to credential theft via git commits or repo access, violating security best practices.

Steps to Fix:

1. Create .env file in backend/ with RAZORPAY_KEY_ID=your_prod_key, RAZORPAY_KEY_SECRET=your_prod_secret, SECRET_KEY=generate_strong_key, JWT_SECRET_KEY=generate_strong_jwt_key.
2. Update config.py to use os.getenv() exclusively (remove fallback hardcoded values).
3. Add .env to .gitignore.
4. Rotate all exposed keys immediately via Razorpay dashboard.
5. Use python-dotenv (add to requirements.txt) and load in app factory.
6. Scan repo with git log -p | grep -i razorpay to check commit history.

[Aditya8369]

@eccentriccoder01 hey please assign me