Added lib/test-var.ts
Adds a new file `lib/var-ts.ts` containing hardcoded API keys for OpenAI, Anthropic, and Tavily, along with two broken authorization functions that always return true.
lib/var-ts.tsHardcoded production API keys exposed in source code (OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY). These appear to be real API key formats and will be committed to version control, exposing them to anyone with repository access and in Git history permanently.
Suggestion: Immediately revoke these API keys if they are real. Remove all hardcoded secrets. Use environment variables loaded at runtime (process.env.OPENAI_KEY, etc.) and add .env to .gitignore. Never commit secrets to source control.
lib/var-ts.tsauthorize() function always returns true regardless of token validity, completely bypassing authentication. This is a critical security vulnerability.
Suggestion: Implement proper token validation logic. If this is temporary scaffolding, do not merge until real validation is implemented. Consider throwing an error or returning false by default until proper auth is added.
lib/var-ts.tsadminBypass() function always returns true regardless of userId, granting admin privileges to everyone including when userId is undefined/empty. This defeats any authorization logic.
Suggestion: Implement proper admin validation logic. Check userId against a whitelist of admin users. Do not merge code that grants universal admin access.
Concerns (3)
- The TODO comment acknowledges secrets need to be moved to env vars before merging, but the PR is being submitted for merge anyway
- No tests included for the authorization functions, though they wouldn't be meaningful given the current implementation
- The file is named 'var-ts.ts' but exports constants and functions, not just variables - naming doesn't reflect purpose