Date: 2025-12-08 Severity: CRITICAL Status: Code fixed, git history cleanup required
API credentials were exposed in config.json which was committed to git repository. The following credentials were exposed:
- Spotify Client ID:
8e7001ee30f04ec196a29a94fddd619e - Spotify Client Secret:
597942dc5f3e474481266bc6512cc5e1 - Google API Key:
AIzaSyBFxdpFX61mnqtjBg1QQWaL09nti6ytGH8
-
Created environment variable system
- Created
.env.exampletemplate - Updated
spotify_to_yt.pyto read from environment variables - Added
python-dotenvto requirements.txt - Added environment loading to
application.py
- Created
-
Added config.json to .gitignore
- Prevents future commits of sensitive files
-
Added comprehensive error handling
- All API calls now have proper exception handling
- Missing credentials fail gracefully with clear error messages
-
Updated documentation
- README.md includes environment setup instructions
- Clear instructions for obtaining API credentials
These credentials are now public and must be revoked:
- Go to Spotify Developer Dashboard
- Find your app with Client ID:
8e7001ee30f04ec196a29a94fddd619e - Regenerate Client Secret or delete and create new app
- Update your
.envfile with new credentials
- Go to Google Cloud Console
- Find API key:
AIzaSyBFxdpFX61mnqtjBg1QQWaL09nti6ytGH8 - Delete the key and create a new one
- Update your
.envfile with new API key
WARNING: This rewrites git history. Coordinate with all collaborators first.
# Option A: Use BFG Repo-Cleaner (Recommended)
# Download BFG from https://rtyley.github.io/bfg-repo-cleaner/
# Remove config.json from all commits
java -jar bfg.jar --delete-files config.json
git reflog expire --expire=now --all
git gc --prune=now --aggressive
# Force push to remote (WARNING: Destructive)
git push origin --force --all
git push origin --force --tags
# Option B: Use git-filter-repo
# Install: pip install git-filter-repo
git filter-repo --path config.json --invert-paths
git push origin --force --all
git push origin --force --tags# Copy example file
cp .env.example .env
# Edit .env with your NEW credentials
nano .env# Ensure config.json is not tracked
git status
# Should show config.json as untracked (if it still exists)
# Or should not appear at all
# Verify .env is not tracked
git status
# .env should not appear or should be in .gitignore- Environment Variables: All secrets now loaded from environment
- Gitignore:
.envandconfig.jsonadded to .gitignore - Validation: Application validates environment variables at startup
- Documentation: Clear instructions in README.md
- Error Handling: Missing credentials produce clear error messages
- Never commit secrets: Use environment variables for all sensitive data
- Rotate credentials regularly: Change API keys every 90 days
- Use restricted API keys: Limit API key permissions to only what's needed
- Monitor API usage: Watch for unusual API activity indicating compromised keys
- Use .env for local development: Keep production secrets in secure environment variable stores
- Spotify API: Unauthorized access to your Spotify app quotas
- Google YouTube API: Unauthorized use of your YouTube API quota (costs money if exceeded)
- Check Spotify app usage for unauthorized activity
- Check Google Cloud Console for unexpected API usage
- Monitor for any unusual charges
- Revoke and rotate all exposed credentials immediately
Contact the security team or refer to: