From 056b4ff86c66927c3f4b8138367e76af73dd8488 Mon Sep 17 00:00:00 2001
From: Aalok <freeediting35@gmail.com>
Date: Sun, 17 May 2026 00:23:41 +0530
Subject: [PATCH] fix(security): replace hardcoded S3 credentials with
 environment variables

---
 common/config/main.php                        |  4 +-
 .../prod-railway/common/config/main-local.php |  4 +-
 scripts/verify_credentials.php                | 59 +++++++++++++++++++
 3 files changed, 63 insertions(+), 4 deletions(-)
 create mode 100644 scripts/verify_credentials.php

diff --git a/common/config/main.php b/common/config/main.php
index 793bdb35..de067f60 100644
--- a/common/config/main.php
+++ b/common/config/main.php
@@ -8,8 +8,8 @@
         'temporaryBucketResourceManager' => [
             'class' => 'common\components\S3ResourceManager',
             'region' => 'eu-west-2', // Bucket based in London
-            'key' => 'AKIAWMITDJRKVN5ODY2X',
-            'secret' => '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',
+            'key' => getenv('AWS_TEMP_BUCKET_KEY'),
+            'secret' => getenv('AWS_TEMP_BUCKET_SECRET'),
             'bucket' => 'studenthub-public-anyone-can-upload-24hr-expiry'
             /**
              * You can access the Temporary bucket with:
diff --git a/environments/prod-railway/common/config/main-local.php b/environments/prod-railway/common/config/main-local.php
index f8b14d07..541090bd 100644
--- a/environments/prod-railway/common/config/main-local.php
+++ b/environments/prod-railway/common/config/main-local.php
@@ -154,8 +154,8 @@
             'authMethod' => \common\components\S3ResourceManager::AUTH_VIA_KEY_AND_SECRET,
             'region' => 'eu-west-2', // Bucket based in London
             'bucket' => 'studenthub-uploads',
-            'key' => 'AKIAWMITDJRKWZZEWCUM',//railway-s3-access
-            'secret' => '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',
+            'key' => getenv('AWS_PERMANENT_S3_ACCESS_KEY_ID'),//railway-s3-access
+            'secret' => getenv('AWS_PERMANENT_S3_SECRET_ACCESS_KEY'),
             /**
              * For Local Development, we access using key and secret
              * For Dev and Production servers, access is via server embedded IAM roles so no key/secret required
diff --git a/scripts/verify_credentials.php b/scripts/verify_credentials.php
new file mode 100644
index 00000000..b410b3c6
--- /dev/null
+++ b/scripts/verify_credentials.php
@@ -0,0 +1,59 @@
+<?php
+
+$files = [
+    'common/config/main.php',
+    'environments/prod-railway/common/config/main-local.php'
+];
+
+$patterns = [
+    'AKIAWMITDJRKVN5ODY2X',
+    'zAr8Xov1olqBAaiE8CX+j45qDHaAbO+S3EhUVeaT',
+    'AKIAWMITDJRKWZZEWCUM',
+    'M6olF9l1pZ1sKIswrSCjKtGkAG2w9qDV9x230UlI'
+];
+
+$envVars = [
+    'AWS_TEMP_BUCKET_KEY',
+    'AWS_TEMP_BUCKET_SECRET',
+    'AWS_PERMANENT_S3_ACCESS_KEY_ID',
+    'AWS_PERMANENT_S3_SECRET_ACCESS_KEY'
+];
+
+$errors = [];
+
+foreach ($files as $file) {
+    $content = file_get_contents($file);
+    if ($content === false) {
+        $errors[] = "Could not read file: $file";
+        continue;
+    }
+
+    foreach ($patterns as $pattern) {
+        if (strpos($content, $pattern) !== false) {
+            $errors[] = "Found hardcoded credential '$pattern' in $file";
+        }
+    }
+
+    foreach ($envVars as $envVar) {
+        if (strpos($content, "getenv('$envVar')") === false) {
+            // Check if it's the right file for the env var
+            if ($file === 'common/config/main.php' && (strpos($envVar, 'TEMP') !== false)) {
+                 $errors[] = "Missing getenv('$envVar') in $file";
+            }
+            if ($file === 'environments/prod-railway/common/config/main-local.php' && (strpos($envVar, 'PERMANENT') !== false)) {
+                 $errors[] = "Missing getenv('$envVar') in $file";
+            }
+        }
+    }
+}
+
+if (empty($errors)) {
+    echo "Verification PASSED: No hardcoded credentials found and environment variables are used.\n";
+    exit(0);
+} else {
+    echo "Verification FAILED:\n";
+    foreach ($errors as $error) {
+        echo "- $error\n";
+    }
+    exit(1);
+}