Skip to content

Remove hardcoded credentials; replace with env var references#48

Draft
Copilot wants to merge 2 commits into
mainfrom
copilot/replace-hardcoded-credentials
Draft

Remove hardcoded credentials; replace with env var references#48
Copilot wants to merge 2 commits into
mainfrom
copilot/replace-hardcoded-credentials

Conversation

Copilot AI commented Apr 8, 2026
edited
Loading

Copy link
Copy Markdown

Three files contained hardcoded database passwords and admin credentials committed to source code. This replaces all of them with process.env.* lookups and safe placeholder fallbacks.

Changes

  • backend/scripts/check-all-dbs.ts — PostgreSQL connection string, MySQL, and MariaDB credentials all moved to env vars:

    const pg = new Pool({ connectionString: process.env.DATABASE_URL || '******localhost:5433/datacendia' });
// ...
host: process.env.MYSQL_HOST || 'localhost',
password: process.env.MYSQL_PASSWORD || '',
// ...
host: process.env.MARIADB_HOST || 'localhost',
password: process.env.MARIADB_PASSWORD || '',

  • backend/scripts/verify-marketing-data.ts — Same pattern applied to the matching PostgreSQL, MySQL, and MariaDB connection blocks.

  • docs/API_DOCUMENTATION.md — Hardcoded admin@datacendia.com / DatacendiaAdmin2024! in the auth example replaced with your-email@company.com / your-password.

⚠️ Rotate cendia2025, datacendia_secure_2024, and DatacendiaAdmin2024! in any environments where they were in active use.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Refactoring (no functional changes)
  • CI/CD or infrastructure change

Community/Enterprise Boundary

  • This PR only touches Community Edition code (see COMMUNITY.md)
  • This PR touches Enterprise Edition code (requires platform-lead approval)

Checklist

  • My code follows the project's coding standards
  • I have added/updated tests for my changes
  • All new and existing tests pass (npm run test)
  • TypeScript compiles without errors (npm run typecheck)
  • Lint passes (npm run lint)
  • I have updated documentation if needed
  • I have not committed secrets, API keys, or credentials
  • My changes do not introduce console warnings or errors

Screenshots / Recordings

N/A — no UI changes.

Testing Instructions

  1. Set DATABASE_URL, MYSQL_HOST, MYSQL_PASSWORD, MYSQL_DATABASE, MARIADB_HOST, MARIADB_PASSWORD, MARIADB_DATABASE in your local .env.
  2. Run npx ts-node backend/scripts/check-all-dbs.ts — verify it connects using env var values.
  3. Confirm the scripts fail cleanly (connection error, not auth error with old credentials) when env vars are unset.
Original prompt

Problem

A security audit identified multiple hardcoded credentials and secrets committed to source code in this repository. These must be replaced with environment variable references and safe placeholder values.

Files to Fix

1. backend/scripts/check-all-dbs.ts (BlobSha: 2f2be172a45ad5be2b6e5ac098b596f70a8a4315)

Line 12: Hardcoded PostgreSQL connection string with password:

const pg = new Pool({ connectionString: 'postgresql://datacendia:datacendia_secure_2024@localhost:5433/datacendia' });

Fix: Replace with:

const pg = new Pool({ connectionString: process.env.DATABASE_URL || 'postgresql://datacendia:changeme@localhost:5433/datacendia' });

Line 39: Hardcoded MySQL credentials:

host: 'localhost', port: 3306, user: 'root', password: 'cendia2025', database: 'clientdata'

Fix: Replace with:

host: process.env.MYSQL_HOST || 'localhost',
port: parseInt(process.env.MYSQL_PORT || '3306'),
user: process.env.MYSQL_USER || 'root',
password: process.env.MYSQL_PASSWORD || '',
database: process.env.MYSQL_DATABASE || 'clientdata'

Line 56: Hardcoded MariaDB credentials (same pattern):

host: 'localhost', port: 3307, user: 'root', password: 'cendia2025', database: 'analytics'

Fix: Replace with:

host: process.env.MARIADB_HOST || 'localhost',
port: parseInt(process.env.MARIADB_PORT || '3307'),
user: process.env.MARIADB_USER || 'root',
password: process.env.MARIADB_PASSWORD || '',
database: process.env.MARIADB_DATABASE || 'analytics'

2. backend/scripts/verify-marketing-data.ts (BlobSha: d266ba319889258be853f85022ed0bd60066a895)

Line 13: Same hardcoded PostgreSQL connection string:

const pg = new Pool({ connectionString: 'postgresql://datacendia:datacendia_secure_2024@localhost:5433/datacendia' });

Fix: Same as above — use process.env.DATABASE_URL.

Line 24: Same hardcoded MySQL credentials:

const mysql_conn = await mysql.createConnection({ host: 'localhost', port: 3306, user: 'root', password: 'cendia2025', database: 'clientdata' });

Fix: Same env var pattern as above.

Line 36: Same hardcoded MariaDB credentials:

const maria = await mysql.createConnection({ host: 'localhost', port: 3307, user: 'root', password: 'cendia2025', database: 'analytics' });

Fix: Same env var pattern as above.

3. docs/API_DOCUMENTATION.md (BlobSha: 2cddb0432f29399e57509dc6c702c9ab9e84436b)

Lines 332-335: Hardcoded demo admin credentials in the example:

body: JSON.stringify({
    email: 'admin@datacendia.com',
    password: 'DatacendiaAdmin2024!'
})

Fix: Replace with placeholder values:

body: JSON.stringify({
    email: 'your-email@company.com',
    password: 'your-password'
})

4. src/lib/featureFlags.ts (BlobSha: 5a1fa4f9da1769e49c3ccafe1f35ebe1cf860a59)

Line 21: The Unleash token fallback is an empty string, which is correct in datacendia-components. However, the platform audit report (reports/PLATFORM_AUDIT_2026_02_17.md lines 178-180) flagged that the datacendia-core version had 'cendia-admin-token' hardcoded. Verify this file is correct (it appears to already be fixed in this repo with || ''). No change needed if already using env var fallback to empty string.

Summary of Changes Required

File Issue Fix
backend/scripts/check-all-dbs.ts 3 hardcoded passwords (datacendia_secure_2024, cendia2025 x2) Replace with process.env.* references
backend/scripts/verify-marketing-data.ts 3 hardcoded passwords (same values) Replace with process.env.* references
docs/API_DOCUMENTATION.md Hardcoded admin credentials in example Replace with generic placeholder values

Important Notes

  • Do NOT modify any .env or .env.example files (those are in the other repo).
  • Do NOT change any other files — only the 3 files listed above.
  • Keep the same overall code structure/logic; only replace credential literals with environment variable lookups.
  • For the docs, keep the example functional but use clearly-placeholder values like your-email@company.com and your-password.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Check for passwords or secrets

Assistant:

I'll check for any passwords, secrets, or sensitive credentials in your repositories. Let me search for common patterns.

Assistant: Here's a summary of the secrets and credentials findings across your datacendia/datacendia-core and datacendia/datacendia-components repositories:

🔴 HIGH SEVERITY — Hardcoded Credentials in Source Code

1. Hardcoded database passwords in scripts

host: 'localhost', port: 3306, user: 'root', password: 'cendia...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

Copilot AI changed the title [WIP] Replace hardcoded credentials with env variables Remove hardcoded credentials; replace with env var references Apr 8, 2026
Copilot AI requested a review from datacendia April 8, 2026 09:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@datacendia datacendia Awaiting requested review from datacendia

At least 1 approving review is required to merge this pull request.

Assignees

Copilot code review Copilot

@datacendia datacendia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@datacendia