🔐 Fix: Admin Password Exposed in Client-Side Bundle#36
Open
Pranavms09 wants to merge 3 commits into
Open
Conversation
- Remove VITE_ADMIN_PASSWORD from Admin.jsx and .env - Implement signInWithEmailAndPassword for admin login - Use onAuthStateChanged for persistent auth state - Add firestore.rules with role-based access control - Update .env.example to remove deprecated variable Fixes #security-vulnerability
Contributor
|
@Pranavms09 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel. A member of the Team first needs to authorize it. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes an insecure client-side admin password check (previously bundled via a VITE_ env var) and replaces Admin access with Firebase Authentication, alongside repository config/docs updates intended to support the new auth model and Firestore protection.
Changes:
- Replace Admin Panel password comparison with Firebase Auth email/password sign-in and persisted auth state.
- Export a Firebase
authinstance from the shared Firebase initializer. - Add Firestore security rules and update environment/documentation/gitignore to remove
VITE_ADMIN_PASSWORD.
Reviewed changes
Copilot reviewed 5 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
src/pages/Admin/Admin.jsx |
Swaps client-side password gate for Firebase Auth + auth-state-driven UI. |
src/lib/firebase.js |
Adds and exports auth via getAuth(app). |
firestore.rules |
Introduces Firestore rules intended to restrict access (needs alignment with existing app behavior). |
CONTRIBUTING.md |
Updates setup notes to reflect Firebase Auth-based admin access. |
.gitignore |
Ignores .env files while allowing .env.example to be committed. |
.env.example |
Provides Firebase config placeholders; removes admin password guidance. |
package-lock.json |
Lockfile updated as part of dependency graph changes. |
Comments suppressed due to low confidence (1)
src/pages/Admin/Admin.jsx:198
onSnapshotis registered without an error callback. If Firestore rejects the listener (e.g.,permission-denieddue to rules/UID mismatch),loadingnever flips to false and the UI will spin indefinitely. Add an error handler to setloadingfalse and surface a user-visible message (and possibly sign out) when snapshot subscription fails.
const q = query(collection(db, "feedback"), orderBy("createdAt", sortOrder));
const unsub = onSnapshot(q, snap => {
setItems(snap.docs.map(d => ({ id: d.id, ...d.data() })));
setLoading(false);
});
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+11
to
+14
| // Users collection — only the owner can read their own doc | ||
| match /users/{userId} { | ||
| allow read, write: if request.auth != null | ||
| && request.auth.uid == userId; |
| setAuthLoading(false); | ||
| }); | ||
| return unsub; | ||
| }, []); |
Comment on lines
+47
to
+51
| await signInWithEmailAndPassword(auth, email, pw); | ||
| } catch (err) { | ||
| setErr(true); | ||
| setTimeout(() => setErr(false), 3000); | ||
| } finally { |
| setLoading(false); | ||
| }); | ||
| return unsub; | ||
| }, [authed, sortOrder]); |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔐 Fix: Admin Password Exposed in Client-Side Bundle
Closes #28
📋 Summary
This PR fixes a critical security vulnerability where the admin password was stored in a
VITE_environment variable and shipped inside the client-side JavaScript bundle — making it readable by anyone via browser DevTools.The client-side password check has been fully replaced with Firebase Authentication (email/password sign-in), and Firestore security rules have been added to restrict access to the feedback collection.
🐛 Problem
The admin password was read directly from
import.meta.env.VITE_ADMIN_PASSWORD:Since all
VITE_variables are embedded into the JS bundle at build time, the password was fully visible in DevTools → Sources to any user.✅ Solution
Replaced the password check with Firebase Auth:
Auth state is now managed by
onAuthStateChanged— session persists on refresh withoutsessionStoragehacks.📁 Files Changed
src/pages/Admin/Admin.jsxsrc/lib/firebase.jsauthinstancefirestore.rules.env.exampleVITE_ADMIN_PASSWORD, added setup instructions🔒 Firestore Security Rules
A
firestore.rulesfile has been included in the root of the repo for your review. Key rules:/feedbackcollection → readable/writable only by the verified admin UID/users/{userId}→ readable/writable only by the matching authenticated user🧪 Testing Done
npm run build)onAuthStateChanged)VITE_ADMIN_PASSWORDremoved from all files🚀 Deployment Notes (For Maintainer)
As discussed, I have tested this on my own personal Firebase project. For production:
ADMIN_UID_PLACEHOLDERinfirestore.ruleswith your real Admin UIDfirestore.rulesto the production Firebase projectVITE_ADMIN_PASSWORDfrom production environment variables🔗 Related
Closes #28