fix(security): proxy Chainalysis API key through server-side route#547
fix(security): proxy Chainalysis API key through server-side route#547danieloche635-bit wants to merge 2 commits into
Conversation
- Replace localStorage plaintext UUID storage with salted hash - Add per-session salt stored in sessionStorage - Add synchronous hash function for device identity - Update tests to verify hashed storage behavior Closes MettaChain#448
- Add /api/security/address-check Next.js API route to proxy Chainalysis requests - Remove API key exposure from browser via window global (__CHAINALYSIS_API_KEY__) - Move API key to server-only CHAINALYSIS_API_KEY env variable - Add security:check-globals npm script to prevent future __ global leaks - Update tests to verify proxy endpoint usage Closes MettaChain#442
|
@danieloche635-bit Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
|
Subsumed by #560 — same fix already in that bundle. Closing this duplicate. |
nanaf6203-bit
left a comment
nanaf6203-bit
left a comment
There was a problem hiding this comment.
Thanks @danieloche635-bit — proxying the Chainalysis API key through a server-side route is the right call for #442. Heads up: there are merge conflicts with current main. Please rebase onto the latest main and resolve so we can get this in. 🔑
|
Hi @danieloche635-bit — this branch is conflicting with main now. Could you rebase onto the latest main and push? Happy to merge as soon as the conflicts are resolved. Thanks! |
3 participants
Summary (P0)
The Chainalysis API key was exposed via (window as any).CHAINALYSIS_API_KEY\ in the browser bundle, making it trivially extractable via DevTools.
Changes
Tests
Closes #442