refactor: externalize ERP service token via VITE_ERP_TOKEN env var

Token is no longer hardcoded in source — injected at build time. Build with: VITE_ERP_TOKEN="key:secret" npx quasar build Prevents accidental token invalidation and keeps secrets out of git. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 13:39:41 -04:00 · 2026-03-27 13:39:41 -04:00 · 6fc8a2d37f
commit 6fc8a2d37f
parent 1263786b90
2 changed files with 4 additions and 2 deletions
--- a/src/api/auth.js
+++ b/src/api/auth.js
@ -5,7 +5,9 @@
 // ─────────────────────────────────────────────────────────────────────────────
 import { BASE_URL } from 'src/config/erpnext'
-const SERVICE_TOKEN = 'b273a666c86d2d0:06120709db5e414'
+// Service token injected at build time via VITE_ERP_TOKEN env var
 // Fallback: read from window.__ERP_TOKEN__ (set by server-side injection)
 const SERVICE_TOKEN = import.meta.env.VITE_ERP_TOKEN || window.__ERP_TOKEN__ || ''
 export function authFetch (url, opts = {}) {
  opts.headers = { ...opts.headers, Authorization: 'token ' + SERVICE_TOKEN }
--- a/src/stores/auth.js
+++ b/src/stores/auth.js
@ -9,7 +9,7 @@ import { ref } from 'vue'
 import { BASE_URL } from 'src/config/erpnext'
 // Service token for ERPNext API — all dispatch API calls use this
-const ERP_SERVICE_TOKEN = 'b273a666c86d2d0:06120709db5e414'
+const ERP_SERVICE_TOKEN = import.meta.env.VITE_ERP_TOKEN || window.__ERP_TOKEN__ || ''
 export const useAuthStore = defineStore('auth', () => {
  const user    = ref(null)