Fix critical security vulnerabilities - remove hardcoded secrets

Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
2026-05-26 19:26:33 +00:00 · 2026-01-31 18:40:21 +00:00
parent d8b8a57aab
commit f04fc76eb9
6 changed files with 80 additions and 87 deletions
@@ -15,9 +15,9 @@ export default function AdminLogin() {
    // Check if already authenticated
    const checkExistingAuth = async () => {
      const token = localStorage.getItem('admin_token')
-      if (token === 'admin-secret-key') {
+      if (token) {
        try {
-          // Verify token with API
+          // Verify token with API - no hardcoded secret check
          const response = await fetch('http://127.0.0.1:5000/api/admin/courses', {
            headers: { 'Authorization': `Bearer ${token}` }
          })
@@ -62,6 +62,23 @@ export default function AdminDashboard() {
  const router = useRouter()

  // Authentication logic
+  // Helper function to get admin token from localStorage
+  const getAdminToken = (): string | null => {
+    if (typeof window !== 'undefined') {
+      return localStorage.getItem('admin_token')
+    }
+    return null
+  }
+
+  // Helper function to get authorization headers
+  const getAuthHeaders = (): Record<string, string> => {
+    const token = getAdminToken()
+    return {
+      'Authorization': token ? `Bearer ${token}` : '',
+      'Content-Type': 'application/json'
+    }
+  }
+
  useEffect(() => {
    setIsClient(true)
    
@@ -69,31 +86,28 @@ export default function AdminDashboard() {
      try {
        await new Promise(resolve => setTimeout(resolve, 500))
        
-        const token = localStorage.getItem('admin_token')
+        const token = getAdminToken()
        
        if (!token) {
          router.push('/admin/login')
          return
        }
        
-        if (token === 'admin-secret-key') {
-          try {
-            const response = await fetch('http://127.0.0.1:5000/api/admin/courses', {
-              headers: { 'Authorization': `Bearer ${token}` }
-            })
-            
-            if (response.ok) {
-              setIsAuthenticated(true)
-              fetchData()
-            } else {
-              localStorage.removeItem('admin_token')
-              router.push('/admin/login')
-            }
-          } catch (apiError) {
+        // Verify token with API - no hardcoded secret check
+        try {
+          const response = await fetch('http://127.0.0.1:5000/api/admin/courses', {
+            headers: { 'Authorization': `Bearer ${token}` }
+          })
+          
+          if (response.ok) {
            setIsAuthenticated(true)
            fetchData()
+          } else {
+            localStorage.removeItem('admin_token')
+            router.push('/admin/login')
          }
-        } else {
+        } catch (apiError) {
+          // If API is unavailable, don't allow access without verification
          localStorage.removeItem('admin_token')
          router.push('/admin/login')
        }
@@ -114,10 +128,7 @@ export default function AdminDashboard() {
  const fetchCourses = async () => {
    try {
      const response = await fetch('http://127.0.0.1:5000/api/admin/courses', {
-        headers: { 
-          'Authorization': 'Bearer admin-secret-key',
-          'Content-Type': 'application/json'
-        }
+        headers: getAuthHeaders()
      })
      
      if (!response.ok) {
@@ -141,7 +152,7 @@ export default function AdminDashboard() {
  const fetchStats = async () => {
    try {
      const response = await fetch('http://127.0.0.1:5000/api/admin/dashboard', {
-        headers: { 'Authorization': 'Bearer admin-secret-key' }
+        headers: getAuthHeaders()
      })
      if (response.ok) {
        const data = await response.json()
@@ -161,10 +172,7 @@ export default function AdminDashboard() {
      console.log('🔍 Fetching modules for course:', courseId) // Debug log
      
      const response = await fetch(`http://127.0.0.1:5000/api/admin/courses/${courseId}/modules`, {
-        headers: { 
-          'Authorization': 'Bearer admin-secret-key',
-          'Content-Type': 'application/json'
-        }
+        headers: getAuthHeaders()
      })
      
      console.log('🔍 Modules response status:', response.status) // Debug log
@@ -209,10 +217,7 @@ export default function AdminDashboard() {
      console.log('🔍 Fetching lessons for module:', moduleId) // Debug log
      
      const response = await fetch(`http://127.0.0.1:5000/api/admin/modules/${moduleId}/lessons`, {
-        headers: { 
-          'Authorization': 'Bearer admin-secret-key',
-          'Content-Type': 'application/json'
-        }
+        headers: getAuthHeaders()
      })
      
      console.log('🔍 Lessons response status:', response.status) // Debug log
@@ -253,10 +258,7 @@ export default function AdminDashboard() {
    try {
      const response = await fetch('http://127.0.0.1:5000/api/admin/courses', {
        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          'Authorization': 'Bearer admin-secret-key'
-        },
+        headers: getAuthHeaders(),
        body: JSON.stringify(formData)
      })
      
@@ -277,10 +279,7 @@ export default function AdminDashboard() {
    try {
      const response = await fetch(`http://127.0.0.1:5000/api/admin/courses/${courseId}`, {
        method: 'PUT',
-        headers: {
-          'Content-Type': 'application/json',
-          'Authorization': 'Bearer admin-secret-key'
-        },
+        headers: getAuthHeaders(),
        body: JSON.stringify(formData)
      })
      
@@ -301,7 +300,7 @@ export default function AdminDashboard() {
      try {
        const response = await fetch(`http://127.0.0.1:5000/api/admin/courses/${courseId}`, {
          method: 'DELETE',
-          headers: { 'Authorization': 'Bearer admin-secret-key' }
+          headers: getAuthHeaders()
        })
        
        if (response.ok) {
@@ -333,10 +332,7 @@ export default function AdminDashboard() {
      
      const response = await fetch(`http://127.0.0.1:5000/api/admin/courses/${selectedCourse?.id}/modules`, {
        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          'Authorization': 'Bearer admin-secret-key'
-        },
+        headers: getAuthHeaders(),
        body: JSON.stringify(formData)
      })
      
@@ -358,10 +354,7 @@ export default function AdminDashboard() {
      
      const response = await fetch(`http://127.0.0.1:5000/api/admin/modules/${moduleId}/lessons`, {
        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          'Authorization': 'Bearer admin-secret-key'
-        },
+        headers: getAuthHeaders(),
        body: JSON.stringify(formData)
      })
      
@@ -108,37 +108,20 @@ export default function CoursePage() {
      let modulesData = null
      let modulesResponse = null
      
+      // Use public endpoint for course page (not admin endpoint)
      try {
-        modulesResponse = await fetch(`http://127.0.0.1:5000/api/admin/courses/${courseId}/modules`, {
+        modulesResponse = await fetch(`http://127.0.0.1:5000/api/courses/${courseId}/modules`, {
          headers: {
-            'Authorization': 'Bearer admin-secret-key',
            'Content-Type': 'application/json'
          }
        })
        
        if (modulesResponse.ok) {
          modulesData = await modulesResponse.json()
-          console.log('✅ Modules loaded from admin endpoint:', modulesData)
-        }
-      } catch (adminError) {
-        console.log('⚠️ Admin endpoint failed, trying public endpoint')
-      }
-      
-      if (!modulesData || !modulesResponse?.ok) {
-        try {
-          modulesResponse = await fetch(`http://127.0.0.1:5000/api/courses/${courseId}/modules`, {
-            headers: {
-              'Content-Type': 'application/json'
-            }
-          })
-          
-          if (modulesResponse.ok) {
-            modulesData = await modulesResponse.json()
-            console.log('✅ Modules loaded from public endpoint:', modulesData)
-          }
-        } catch (publicError) {
-          console.error('❌ Both module endpoints failed')
+          console.log('✅ Modules loaded from public endpoint:', modulesData)
        }
+      } catch (publicError) {
+        console.error('❌ Module endpoint failed')
      }
      
      if (modulesData) {
@@ -185,21 +168,13 @@ export default function CoursePage() {
      try {
        console.log('🔍 Fetching lessons for module:', module.id)
        
-        let lessonsResponse = await fetch(`http://127.0.0.1:5000/api/admin/modules/${module.id}/lessons`, {
+        // Use public endpoint for course page (not admin endpoint)
+        const lessonsResponse = await fetch(`http://127.0.0.1:5000/api/modules/${module.id}/lessons`, {
          headers: {
-            'Authorization': 'Bearer admin-secret-key',
            'Content-Type': 'application/json'
          }
        })
        
-        if (!lessonsResponse.ok) {
-          lessonsResponse = await fetch(`http://127.0.0.1:5000/api/modules/${module.id}/lessons`, {
-            headers: {
-              'Content-Type': 'application/json'
-            }
-          })
-        }
-        
        if (lessonsResponse.ok) {
          const lessonData = await lessonsResponse.json()
          console.log(`✅ Lessons loaded for module ${module.id}:`, lessonData)