Skip to content

Remove GitHub access tokens from userData to prevent Firestore storage (Issue #275)#322

Merged
indresh404 merged 1 commit into
indresh404:mainfrom
anshul23102:fix/275-remove-firestore-tokens
Jun 5, 2026
Merged

Remove GitHub access tokens from userData to prevent Firestore storage (Issue #275)#322
indresh404 merged 1 commit into
indresh404:mainfrom
anshul23102:fix/275-remove-firestore-tokens

Conversation

@anshul23102
Copy link
Copy Markdown
Contributor

@anshul23102 anshul23102 commented Jun 4, 2026

Summary

Removes GitHub OAuth access tokens from userData objects to prevent accidental storage in Firestore database, violating secret management principles.

Problem

GitHub OAuth tokens included in userData object could potentially be stored in Firestore if code changes occur. This violates security principles:

  • Tokens should never be persisted to databases
  • Increases attack surface from database breaches
  • Violates OWASP and PCI-DSS guidelines
  • Makes token rotation impossible
  • No audit trail for token access

Solution

Removed githubAccessToken from userData object:

  • Tokens kept in memory only during session
  • userData object no longer contains credentials
  • Added security comments explaining token handling
  • Ensures tokens never reach Firestore

Changes

  • Modified src/lib/firebase.js signInWithGitHub function
  • Removed githubAccessToken from userData construction
  • Added security documentation comments

Security Benefits

Prevents Credential Exposure:

  • Tokens never included in stored user objects
  • Memory-only approach prevents database leaks
  • No risk of credential exposure from backups

Reduces Attack Surface:

  • Database breach cannot expose tokens
  • Tokens cannot be recovered from backups
  • Limits damage from potential Firestore access

Testing Strategy

  • Verify login still works with token in memory
  • Check userData doesn't contain token
  • Verify API calls still use token properly
  • Test token is cleared on logout
  • Verify no credentials in Firestore

Files Modified

  • Modified: src/lib/firebase.js (removed token from userData)

Fixes #275

@anshul23102
Remove GitHub access tokens from being stored in userData objects
bfc5b32 
Ensures GitHub OAuth access tokens are never included in userData objects
that could potentially be stored in Firestore. Tokens are sensitive
credentials that should only exist in memory during the current session.

Security improvements:
- Removed githubAccessToken from userData object
- Added security comments explaining token handling
- Prevents accidental Firestore storage of credentials
- Tokens only used in memory for API calls

Fixes issue indresh404#275
@anshul23102 anshul23102 requested a review from indresh404 as a code owner June 4, 2026 10:55
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ranker-hub Ready Ready Preview, Comment Jun 4, 2026 10:55am

@anshul23102
Copy link
Copy Markdown
Contributor Author

anshul23102 commented Jun 4, 2026

Please add relevant labels:

  • type/security
  • severity/high
  • area/secrets
  • nsoc
  • gssoc26

These help with tracking and prioritization. Thank you!

@github-actions github-actions Bot added backend Backend/Firebase related changes bug Something isn't working documentation Improvements or additions to documentation enhancement New feature or request frontend Frontend related changes (HTML/CSS/JS/React) gssoc GirlScript Summer of Code gssoc26 GirlScript Summer of Code 2026 nsoc NSoC NSoC'26 NSoC 2026 pending-review PR is pending review labels Jun 4, 2026
@anshul23102
Copy link
Copy Markdown
Contributor Author

anshul23102 commented Jun 5, 2026

Suggested Labels

For maintainer review and categorization:

  • security (Security vulnerability fix)
  • backend (Firestore database)
  • level:advanced (Advanced complexity)

Removes GitHub access tokens from Firestore to prevent token exposure and storage violations.

@indresh404 indresh404 merged commit bf908a7 into indresh404:main Jun 5, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@indresh404 indresh404 Awaiting requested review from indresh404 indresh404 is a code owner

Assignees

@anshul23102 anshul23102

Labels

backend Backend/Firebase related changes bug Something isn't working documentation Improvements or additions to documentation enhancement New feature or request frontend Frontend related changes (HTML/CSS/JS/React) gssoc GirlScript Summer of Code gssoc26 GirlScript Summer of Code 2026 level3 nsoc NSoC NSoC'26 NSoC 2026 pending-review PR is pending review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: GitHub API access token stored in Firestore database, violates secret management principles and increases attack surface

2 participants

@anshul23102 @indresh404