# Fix Hardcoded Google Sheets Credentials Plan ## Problem `src/routes/leads.js` has hardcoded Google Sheets credentials: ```javascript // Line 518-519 const SHEET_ID = '1h4yn2iHgzgckOuyrHI_Yyo2hrYsmyA5jmG5KltYy5Gg'; const GID = '119397187'; ``` **Issues:** 1. **Security:** Anyone with repo access sees these credentials 2. **Maintainability:** Changing sheets requires code change + deploy 3. **Flexibility:** Can't use different sheets for different environments ## Severity **MEDIUM** - Not exploitable remotely, but exposes internal data source to anyone with repo access. ## Solution Move to environment variables with validation. ### Before: ```javascript const SHEET_ID = '1h4yn2iHgzgckOuyrHI_Yyo2hrYsmyA5jmG5KltYy5Gg'; const GID = '119397187'; ``` ### After: ```javascript const SHEET_ID = process.env.GOOGLE_SHEET_ID; const GID = process.env.GOOGLE_SHEET_GID; if (!SHEET_ID || !GID) { return res.status(503).json({ error: 'Google Sheets not configured. Set GOOGLE_SHEET_ID and GOOGLE_SHEET_GID environment variables.' }); } ``` ## Implementation Steps - [x] Phase 1: Update `src/routes/leads.js` to use env vars ✅ - [x] Phase 2: Add validation for missing env vars ✅ - [ ] Phase 3: Add env vars to Railway dashboard - QA - [ ] Phase 4: Update `.env.example` with new vars (if exists) - Optional - [ ] Phase 5: Test import-sheet endpoint - QA ## Build Progress ### ✅ Code Changes Complete **Commit:** e3aa4b2 "Move Google Sheets credentials to environment variables" **Pushed:** main branch **Changed:** `src/routes/leads.js` lines 517-527 - Replaced hardcoded SHEET_ID and GID with process.env.* - Added validation returning 503 if not configured ## Environment Variables to Add **In Railway Dashboard:** | Variable | Value | |----------|-------| | `GOOGLE_SHEET_ID` | `1h4yn2iHgzgckOuyrHI_Yyo2hrYsmyA5jmG5KltYy5Gg` | | `GOOGLE_SHEET_GID` | `119397187` | ## Files to Modify | File | Changes | |------|---------| | `src/routes/leads.js` | Replace hardcoded values with `process.env.*` | ## Database Migration None required. ## API Endpoints Affected - `POST /api/leads/import-sheet` - Will return 503 if env vars not set ## Success Criteria 1. No hardcoded sheet credentials in source code 2. Import still works when env vars are set 3. Clear error message when env vars are missing ## Notes for Builder ### Code Change (lines 517-520) Replace: ```javascript // Default sheet configuration const SHEET_ID = '1h4yn2iHgzgckOuyrHI_Yyo2hrYsmyA5jmG5KltYy5Gg'; const GID = '119397187'; const csvUrl = `https://docs.google.com/spreadsheets/d/${SHEET_ID}/export?format=csv&gid=${GID}`; ``` With: ```javascript // Sheet configuration from environment const SHEET_ID = process.env.GOOGLE_SHEET_ID; const GID = process.env.GOOGLE_SHEET_GID; if (!SHEET_ID || !GID) { return res.status(503).json({ error: 'Google Sheets import not configured. Contact admin.' }); } const csvUrl = `https://docs.google.com/spreadsheets/d/${SHEET_ID}/export?format=csv&gid=${GID}`; ``` ### Commit Message "Move Google Sheets credentials to environment variables" ## Notes for QA ### Before Testing Add env vars to Railway: 1. Go to Railway dashboard → Project → Variables 2. Add `GOOGLE_SHEET_ID` = `1h4yn2iHgzgckOuyrHI_Yyo2hrYsmyA5jmG5KltYy5Gg` 3. Add `GOOGLE_SHEET_GID` = `119397187` 4. Deploy ### Test Cases 1. **With env vars set:** Import should work normally 2. **Without env vars:** Should return 503 with clear error message 3. **Verify no credentials in code:** `grep -r "1h4yn2iH" src/` should return nothing ## Why This Matters - Repository is potentially shared or could be made public - Credentials in code can't be rotated without deploy - Best practice: secrets in environment, not code