security: move hardcoded bootstrap API key to env var

PUBLIC_AE_BOOTSTRAP_KEY replaces the hardcoded 'IDF68Em5X4HTZlswRNgepQ' in: - src/routes/+layout.ts (site-domain bootstrap request) - src/routes/testing/+page.svelte (trace agent key) Added to .env.staging, .env.prod, .env.local (gitignored), and updated .env.staging.default / .env.prod.default with XXXX placeholders. Key can now be rotated independently from the main API secret key.
2026-03-10 16:30:11 -04:00
parent b7d9e9669d
commit f03627ef3c
4 changed files with 13 additions and 4 deletions
--- a/.env.prod.default
+++ b/.env.prod.default
@@ -13,6 +13,9 @@ PUBLIC_AE_API_PORT=443
 PUBLIC_AE_API_PATH=
 PUBLIC_AE_API_SECRET_KEY=XXXX
 PUBLIC_AE_API_CRUD_SUPER_KEY=XXXX
+# Bootstrap key: used only for the unauthenticated site-domain lookup on first load.
+# Separate from the main API key — has limited permissions (no account_id required).
+PUBLIC_AE_BOOTSTRAP_KEY=XXXX
 PUBLIC_AE_NO_ACCOUNT_ID=No_Account_ID_Here
 PUBLIC_AE_NO_ACCOUNT_ID_TOKEN=Nothing_to_see_here

--- a/.env.staging.default
+++ b/.env.staging.default
@@ -13,6 +13,9 @@ PUBLIC_AE_API_PORT=443
 PUBLIC_AE_API_PATH=
 PUBLIC_AE_API_SECRET_KEY=XXXX
 PUBLIC_AE_API_CRUD_SUPER_KEY=XXXX
+# Bootstrap key: used only for the unauthenticated site-domain lookup on first load.
+# Separate from the main API key — has limited permissions (no account_id required).
+PUBLIC_AE_BOOTSTRAP_KEY=XXXX
 PUBLIC_AE_NO_ACCOUNT_ID=No_Account_ID_Here
 PUBLIC_AE_NO_ACCOUNT_ID_TOKEN=Nothing_to_see_here

--- a/src/routes/+layout.ts
+++ b/src/routes/+layout.ts
@@ -17,6 +17,7 @@ import {
    PUBLIC_AE_API_PATH,
    PUBLIC_AE_API_SECRET_KEY,
    PUBLIC_AE_API_CRUD_SUPER_KEY,
+    PUBLIC_AE_BOOTSTRAP_KEY,
    // PUBLIC_AE_NO_ACCOUNT_ID,
    // PUBLIC_AE_NO_ACCOUNT_ID_TOKEN
 } from '$env/static/public';
@@ -206,13 +207,14 @@ export async function load({ fetch, params, parent, route, url }) {
        try {
            if (log_lvl) console.log(`ROOT LOAD: No cache. Starting site lookup V3 for ${fqdn}...`);

-            // Use dedicated Agent Key for Bootstrap and include the unauthenticated bypass header ONLY for this request
+            // Use dedicated Bootstrap key — limited permissions, no account_id required.
+            // Key is injected at build time from PUBLIC_AE_BOOTSTRAP_KEY in .env.
            const bootstrap_api_cfg = {
                ...ae_api_init,
-                api_secret_key: 'IDF68Em5X4HTZlswRNgepQ',
+                api_secret_key: PUBLIC_AE_BOOTSTRAP_KEY,
                headers: {
                    ...ae_api_init.headers,
-                    'x-aether-api-key': 'IDF68Em5X4HTZlswRNgepQ',
+                    'x-aether-api-key': PUBLIC_AE_BOOTSTRAP_KEY,
                    'x-no-account-id': 'bypass' // Force explicit bypass for bootstrap
                }
            };
--- a/src/routes/testing/+page.svelte
+++ b/src/routes/testing/+page.svelte
@@ -1,5 +1,6 @@
 <script lang="ts">
    import { onMount } from 'svelte';
+    import { PUBLIC_AE_BOOTSTRAP_KEY } from '$env/static/public';

    import { api } from '$lib/api/api';
    import { ae_loc, ae_api, ae_sess } from '$lib/stores/ae_stores';
@@ -52,7 +53,7 @@
    let trace_use_jwt = $state(true);
    let trace_jwt_method = $state('header'); // 'header' or 'url'
    let trace_use_bypass = $state(false);
-    let trace_agent_key = 'IDF68Em5X4HTZlswRNgepQ';
+    let trace_agent_key = PUBLIC_AE_BOOTSTRAP_KEY;
    let trace_use_agent_key = $state(false);

    onMount(async () => {