Secrets Exposure

Vulnerable
Solution 1
Solution 2 - API code: pages/api/example-5-secrets-exposure/solution-2.ts

The following API key should not be any value other than "undefined" in the frontend regardless of which user tries to access the page:

process.env.API_KEY:

Show API results fetched using the process.env.API_KEY variable

{
  "error": "missing_api_key",
  "message": "The x-api-key header is required for this endpoint.",
  "hint": "Send x-api-key for admin calls (/api/*) or Authorization: Bearer <token> for app-user calls (/app/*).",
  "next_steps": [
    "Go to app.reqres.in/api-keys to get your key",
    "Add header: x-api-key: <your_key>",
    "For app user endpoints, use Authorization: Bearer <session_token> instead"
  ],
  "docs_url": "https://app.reqres.in/docs#authentication",
  "example_curl": "curl -H \"x-api-key: YOUR_API_KEY\" https://api.reqres.in/api/collections",
  "_meta": {
    "powered_by": "ReqRes",
    "docs_url": "https://app.reqres.in/documentation",
    "upgrade_url": "https://app.reqres.in/upgrade",
    "example_url": "https://app.reqres.in/examples/notes-app",
    "variant": "v1_b",
    "message": "Missing/invalid key. Grab a free key to keep responses consistent.",
    "cta": {
      "label": "Get started",
      "url": "https://app.reqres.in/api-keys"
    },
    "context": "invalid_key"
  }
}

The following users should not contain the "passwordHash" property, regardless of which user tries to access the page:

[
  {
    "id": 1,
    "username": "alice"
  },
  {
    "id": 2,
    "username": "bob"
  }
]