🚨 SECURITY FIX: Remove exposed API key from repository

[unforced]

🚨 Critical Security Fix

This PR removes the accidentally committed .env file containing the Google Maps API key.

What Happened

• The .env file was accidentally committed to the repository
• This exposed the Google Maps API key: AIzaSyCu5C6Mx8oVhtXtzKQf48xdm7rdtx_5yqo

What This PR Does

• Removes .env from git tracking (file stays locally)
• .env remains in .gitignore to prevent future commits

⚠️ IMMEDIATE ACTIONS REQUIRED

1. Merge this PR immediately

2. Rotate the Google Maps API Key

1. Go to Google Cloud Console
2. Navigate to APIs & Services > Credentials
3. Find the exposed key (AIzaSyCu5C6Mx8oVhtXtzKQf48xdm7rdtx_5yqo)
4. Click on it and then DELETE or REGENERATE
5. Create a new API key
6. Add restrictions to the new key:
   • Application restrictions: HTTP referrers
   • Website restrictions: Add your domains:
     • https://cohereboulder.org/*
     • http://localhost:*
   • API restrictions: Restrict to Maps JavaScript API and Places API only

3. Update Local Environment

1. Update your local .env file with the new key
2. Never commit the .env file

4. Update Production Environment

• Update the environment variable in your deployment platform (Vercel/Netlify/etc.)

Important Note

The exposed key is still in git history. While this PR removes it from the current state, anyone with repository access can still see it in history. This is why rotating the key is CRITICAL.

Prevention for Future

• Always double-check before committing that .env is not included
• Use git status to verify what's being committed
• Consider using git hooks to prevent .env commits

This is a critical security fix and should be merged immediately.

[claude]

Claude finished @unforced's task —— View job

---

Security Fix PR Review ✅

Completed comprehensive review of this critical security fix that removes the exposed Google Maps API key from the repository.

Review Tasks

• Examine the repository structure and security configuration
• Analyze the changed files and git history impact
• Review code quality and best practices for security fixes
• Assess potential bugs or remaining security issues
• Evaluate the remediation approach effectiveness
• Check for test coverage implications
• Provide comprehensive security recommendations

🔐 Security Review Results

✅ What This PR Does Well

1. Immediate Threat Mitigation: Successfully removes the .env file containing the exposed API key AIzaSyCu5C6Mx8oVhtXtzKQf48xdm7rdtx_5yqo
2. Proper Git Configuration: The .env file is correctly listed in .gitignore (line 16), preventing future accidental commits
3. Clear Documentation: Excellent PR description with step-by-step remediation instructions
4. Graceful Degradation: The LocationAutocomplete component handles missing API keys gracefully with fallback behavior (lines 52-57)

⚠️ Critical Security Issues Identified

🚨 HIGH PRIORITY: Multi-Environment Exposure

The git history reveals this is more severe than initially described. The exposed credentials include:

From commit 7aa0238:

VITE_SUPABASE_ANON_KEY="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
VITE_SUPABASE_PROJECT_ID="pnvxrczcygrkbschkvkv"  
VITE_SUPABASE_URL="https://pnvxrczcygrkbschkvkv.supabase.co"
VITE_GOOGLE_MAPS_API_KEY=AIzaSyCu5C6Mx8oVhtXtzKQf48xdm7rdtx_5yqo

🎯 Immediate Actions Required (Beyond PR Description)

1. Rotate ALL Exposed Credentials:

   • ✅ Google Maps API Key (as described in PR)
   • ❌ MISSING: Supabase anonymous key rotation
   • ❌ MISSING: Consider Supabase project access review

2. Production Environment Gap:

   • The GitHub Actions workflow (.github/workflows/deploy.yml) only includes Supabase secrets but missing VITE_GOOGLE_MAPS_API_KEY
   • This means production deployments currently have no Google Maps functionality

🏗️ Code Quality Assessment

Strengths

• Defensive Programming: LocationAutocomplete properly validates API key presence (line 52)
• Error Handling: Includes proper error handling for failed API loads (lines 67-70)
• User Experience: Shows loading state and graceful fallback when API unavailable

Areas for Improvement

• Console Logging: Uses console.warn and console.error which may expose information in production
• API Key Validation: No validation that the provided key is valid/properly formatted

🧪 Test Coverage Implications

Low Risk: This change primarily removes a configuration file and doesn't alter application logic. The LocationAutocomplete component's fallback behavior should be tested, but the security fix itself doesn't require additional test coverage.

📊 Performance Considerations

Positive Impact:

• Removing hardcoded secrets eliminates a security performance penalty
• Component handles missing API keys efficiently without blocking render

🛡️ Comprehensive Security Recommendations

Immediate (Before Merge)

1. ✅ This PR should be merged immediately - correctly removes the immediate exposure
2. 🔄 Add missing environment variable to GitHub Actions:

   VITE_GOOGLE_MAPS_API_KEY: ${{ secrets.VITE_GOOGLE_MAPS_API_KEY }}

Post-Merge (Critical)

1. Rotate Supabase Credentials: The anonymous key and potentially the project should be rotated
2. Audit Supabase Project: Review RLS policies and check for unauthorized access
3. Update Production Secrets: Add the new Google Maps API key to GitHub Secrets

Best Practices Going Forward

1. Pre-commit Hooks: Consider adding git hooks to prevent .env commits
2. Environment Validation: Add startup validation to ensure required environment variables are present
3. Secrets Scanning: Consider implementing automated secrets scanning (GitHub Advanced Security, GitLeaks, etc.)

🏆 Overall Assessment

LGTM with Critical Follow-up Required

This PR effectively addresses the immediate security vulnerability and follows security best practices. However, the scope of exposed credentials is broader than initially identified, requiring additional remediation steps for complete security posture restoration.

Priority: Merge immediately, then execute expanded credential rotation plan.

---