From 6fc8a2d37fc1dc849712e7e11fe37d6de7c38454 Mon Sep 17 00:00:00 2001 From: louispaulb Date: Fri, 27 Mar 2026 13:39:41 -0400 Subject: [PATCH] refactor: externalize ERP service token via VITE_ERP_TOKEN env var MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Token is no longer hardcoded in source — injected at build time. Build with: VITE_ERP_TOKEN="key:secret" npx quasar build Prevents accidental token invalidation and keeps secrets out of git. Co-Authored-By: Claude Opus 4.6 (1M context) --- src/api/auth.js | 4 +++- src/stores/auth.js | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/api/auth.js b/src/api/auth.js index 4457992..97ce031 100644 --- a/src/api/auth.js +++ b/src/api/auth.js @@ -5,7 +5,9 @@ // ───────────────────────────────────────────────────────────────────────────── import { BASE_URL } from 'src/config/erpnext' -const SERVICE_TOKEN = 'b273a666c86d2d0:06120709db5e414' +// Service token injected at build time via VITE_ERP_TOKEN env var +// Fallback: read from window.__ERP_TOKEN__ (set by server-side injection) +const SERVICE_TOKEN = import.meta.env.VITE_ERP_TOKEN || window.__ERP_TOKEN__ || '' export function authFetch (url, opts = {}) { opts.headers = { ...opts.headers, Authorization: 'token ' + SERVICE_TOKEN } diff --git a/src/stores/auth.js b/src/stores/auth.js index 41db883..1a39755 100644 --- a/src/stores/auth.js +++ b/src/stores/auth.js @@ -9,7 +9,7 @@ import { ref } from 'vue' import { BASE_URL } from 'src/config/erpnext' // Service token for ERPNext API — all dispatch API calls use this -const ERP_SERVICE_TOKEN = 'b273a666c86d2d0:06120709db5e414' +const ERP_SERVICE_TOKEN = import.meta.env.VITE_ERP_TOKEN || window.__ERP_TOKEN__ || '' export const useAuthStore = defineStore('auth', () => { const user = ref(null)