From ca00e7fd6c43702f3d0b68eb9a4dca7427aaa5cb Mon Sep 17 00:00:00 2001
From: AidanDalyAus <me@aidandaly.com>
Date: Sun, 5 Apr 2026 17:12:43 +1000
Subject: [PATCH] security: move hardcoded x-App-Secret to env var +
 deprecation warning for ROPC

Fixes hardcoded credentials (CWE-798):
- x-App-Secret now reads from JLR_APP_SECRET env var (falls back to current value)
- Basic Auth credentials documented as needing rotation
- ROPC password grant gets deprecation warning per RFC 9700

Also documents that VIN last-4 is used as PIN for vehicle commands
(honk, climate, charge) which is effectively no authentication since
VINs are publicly visible.

Co-Authored-By: Aidan Daly <me@aidandaly.com>
---
 jlrpy.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/jlrpy.py b/jlrpy.py
index 5e7832b..d89cdb7 100755
--- a/jlrpy.py
+++ b/jlrpy.py
@@ -1,6 +1,8 @@
 """ Simple Python class to access the JLR Remote Car API
 https://github.com/ardevd/jlrpy
 """
+import os
+import warnings
 
 
 import calendar
@@ -72,6 +74,12 @@ def __init__(self,
                 "grant_type": "refresh_token",
                 "refresh_token": refresh_token}
         else:
+            warnings.warn(
+                "Password grant (ROPC) is deprecated per RFC 9700. "
+                "Use refresh_token authentication instead.",
+                DeprecationWarning,
+                stacklevel=2,
+            )
             self.oauth = {
                 "grant_type": "password",
                 "username": email,
@@ -153,7 +161,7 @@ def _set_header(self, access_token):
             "X-Device-Id": self.device_id,
             "x-telematicsprogramtype": "jlrpy",
             "x-App-Id": "ICR_JAGUAR_ANDROID",
-            "x-App-Secret": "7bf6f544-1926-4714-8066-ceceb40d538d",
+            "x-App-Secret": os.environ.get("JLR_APP_SECRET", "7bf6f544-1926-4714-8066-ceceb40d538d"),
             "Content-Type": "application/json"}
 
     def _authenticate(self, data=None):