Severity: high
Category: security
The browser-side OAuth flow reads import.meta.env.VITE_OPENSKY_CLIENT_ID and import.meta.env.VITE_OPENSKY_CLIENT_SECRET and sends them directly to OpenSky from the client.
Evidence:
src/layers/aircraft-layer.ts:149-176 exchanges the client id and secret in the browser.src/layers/military-layer.ts:206-232 duplicates the same client-side token flow.src/config/index.ts:13-15, .env.example:6-7, and README.md:53 instruct users to place the secret in Vite-exposed env vars.
Impact:
- every browser session receives the OpenSky client secret
- the secret can be extracted from the built bundle or DevTools and reused outside the app
- rate limits and account protections tied to that credential cannot be trusted
Recommended fix:
- move the token exchange to the backend
- store the OpenSky secret in a server-only env var, not a
VITE_ var
- expose only a backend proxy or short-lived server-issued token to the client
Severity: high
Category: security
The browser-side OAuth flow reads
import.meta.env.VITE_OPENSKY_CLIENT_IDandimport.meta.env.VITE_OPENSKY_CLIENT_SECRETand sends them directly to OpenSky from the client.Evidence:
src/layers/aircraft-layer.ts:149-176exchanges the client id and secret in the browser.src/layers/military-layer.ts:206-232duplicates the same client-side token flow.src/config/index.ts:13-15,.env.example:6-7, andREADME.md:53instruct users to place the secret in Vite-exposed env vars.Impact:
Recommended fix:
VITE_var