[Security] GROQ API key exposed in client-side code (aiwidget.js) #6044
Description
Description
The AI Music widget in js/widgets/aiwidget.js (line 1188) passes the GROQ API key directly in a client-side fetch() call:
"Authorization": Bearer ${env.GROQ_API_KEY}
This exposes the API key to anyone who opens the browser DevTools (Network tab), making it trivial to steal.
Additionally, env.GROQ_API_KEY is never actually provided by env.js or the Express /env.js route, so the AI widget feature is currently non-functional.
Security Impact
API key visible in browser DevTools → anyone can steal it
Stolen key allows unlimited API calls at the project's expense
Browser extensions or malicious scripts could intercept the key