From 619951fa1ce795e82c4302bf19757cb0ee8eea5e Mon Sep 17 00:00:00 2001
From: spinline <bilal.karatatr.@gmail.com>
Date: Sun, 8 Feb 2026 05:16:31 +0300
Subject: [PATCH] security: remove hardcoded VAPID keys fallback

VAPID keys must now be set via environment variables or .env file.
This eliminates the security risk of having keys in source code.
---
 backend/src/push.rs | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/backend/src/push.rs b/backend/src/push.rs
index 0b204e1..7d3b257 100644
--- a/backend/src/push.rs
+++ b/backend/src/push.rs
@@ -118,13 +118,8 @@ pub async fn send_push_notification(
 
     let client = HyperWebPushClient::new();
 
-    // Get VAPID keys from environment or use defaults
-    let _vapid_public_key = std::env::var("VAPID_PUBLIC_KEY")
-        .unwrap_or_else(|_| "BEdPj6XQR7MGzM28Nev9wokF5upHoydNDahouJbQ9ZdBJpEFAN1iNfANSEvY0ItasNY5zcvvqN_tjUt64Rfd0gU".to_string());
-    let vapid_private_key = std::env::var("VAPID_PRIVATE_KEY")
-        .unwrap_or_else(|_| "aUcCYJ7kUd9UClCaWwad0IVgbYJ6svwl19MjSX7GH10".to_string());
-    let vapid_email = std::env::var("VAPID_EMAIL")
-        .unwrap_or_else(|_| "mailto:admin@vibetorrent.app".to_string());
+    let vapid_private_key = std::env::var("VAPID_PRIVATE_KEY").expect("VAPID_PRIVATE_KEY must be set in .env");
+    let vapid_email = std::env::var("VAPID_EMAIL").expect("VAPID_EMAIL must be set in .env");
 
     for subscription in subscriptions {
         let subscription_info = SubscriptionInfo {
@@ -166,6 +161,5 @@ pub async fn send_push_notification(
 }
 
 pub fn get_vapid_public_key() -> String {
-    std::env::var("VAPID_PUBLIC_KEY")
-        .unwrap_or_else(|_| "BEdPj6XQR7MGzM28Nev9wokF5upHoydNDahouJbQ9ZdBJpEFAN1iNfANSEvY0ItasNY5zcvvqN_tjUt64Rfd0gU".to_string())
+    std::env::var("VAPID_PUBLIC_KEY").expect("VAPID_PUBLIC_KEY must be set in .env")
 }