From 6882d6e95237ccd2014553d60fb8bc8dc33dbc86 Mon Sep 17 00:00:00 2001
From: Hamza-Ayed <hamzaayedflutter@gmail.com>
Date: Mon, 18 May 2026 18:27:08 +0300
Subject: [PATCH] security: support secure env-based firebase admin
 configurations and ignore sensitive keys in git

---
 .gitignore                   |  6 +++++
 serviceAccountKey.json       | 13 ++++++++++
 whatsapp_bridge/package.json |  1 +
 whatsapp_bridge/server.js    | 48 ++++++++++++++++++++++++++++--------
 4 files changed, 58 insertions(+), 10 deletions(-)
 create mode 100644 serviceAccountKey.json

diff --git a/.gitignore b/.gitignore
index e0e2d6c..6878ea2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,3 +24,9 @@ whatsapp_app/android/local.properties
 .idea/
 .vscode/
 *.swp
+
+# Sensitive Configurations
+whatsapp_bridge/serviceAccountKey.json
+whatsapp_bridge/fcm_token.json
+whatsapp_bridge/.env
+whatsapp_bridge/.env.*
diff --git a/serviceAccountKey.json b/serviceAccountKey.json
new file mode 100644
index 0000000..2fb4812
--- /dev/null
+++ b/serviceAccountKey.json
@@ -0,0 +1,13 @@
+{
+  "type": "service_account",
+  "project_id": "mywhatsapp-inta",
+  "private_key_id": "68c0e08c97134c8e2c94245624b24248af1f8206",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGIBQWyqlyCkUd\n4m/6rmqCIGrx2RZAOE4/jYbhRHBpUupVMe74W8zjOhIdvNxre9ihnQjnIKTuu4ff\nNJfmi7a2ULFI7+y4w63AMmiTrMmvaofbE/SJtr0iKvdPV1m1kgq2QNTGxq3h61uY\nY/rBqcwxzp/AOB5uGmDx7Lm0hmccEZ/j2Ih2ojP8/fqkF2KGJE03rtrz7gJ8Khz9\nfuv339Ft/9zLlVMrswJ0A/9g4XsIP/NPXGenslFuZLmsFpUGRHQf7McXcbUTTd1w\naqrWW1UZsoGlARpw9gTAC9QZbF0D7XOc1RdjfFt9Tpsu3usYaOfPofIIRNcQdSgP\nVjLMKmRDAgMBAAECggEAFMIWqL6qGz81N6jaZ67vjNu9qMJAgREFLcZzy9ViW76q\nu6tkKNRhdqtGa6Q2ifJrY59y59h1P2gZl8rIYYjg52Az+vrcWA10fm8potNXPFBS\nlKMWG3mwfkx3JfJ2fT4kbi0DviHh5QpGSgSrqK/UK6HE/hxDH/EWmDJf0KjGU9vb\nWOjShk19EfmXO88HANe5mD0jfEq4x4UcfC+MV8ECwL4Ctt+yUhR+mc3eTGtIgnKc\nRuDboRUDXTMtWfV8T6r6aznRzf68nDgABOOzSxwZ7QqNtEWXSPNeWsaeN6M590an\nd9OAnNeHF7Fuui7xvp1qurXV29V77hDFLHzN4KsQ6QKBgQD9jq613qekP/Xqr0Yr\n9ibrqNif7D1ykvC5Xv7ziosH7k9NG4SRZFPxWwsSr+zn87rzPzvC2Dmp+KuKxBw9\nTu2jvgNG96qa4B9ky56oCreGt8ee6/2WBECxB3sKsusSHZyUjS6APkTDSAlxanE2\n+IlfT5FnzLkWnZuMmZhiRS/ciwKBgQDICLDTKrjWVYeF9YQQaKEvFC//lfOq/NuC\n//k/ywcIxr1/+j4CtusEtWkkFQ5Dyldzi7uDzI7W1oHRHfgO72HrwkJ+GWHbn3uj\nGAwmCNMF6M5khzGAyb2vgUbWU/DDZYAi6nsyJytUwYHX5ATeNtVJTT8HU9wkO7hv\ng1AnOoh2KQKBgQCzdbZgUNvUW9TBKxb+bHU1nEbeQcVn/2pTuVG3q9olXd1Q1OYq\nRZlIHUkkC9IghZhPK/UvPfzqOW+ogo7+MYvutcD6DLb6cSCnJZsAkr08o3ytFZhh\nAleLNKE4fFP2eXDmj1pXODtQ//53AIBrCNOp2tYuYm6p/BkpFVkOTKvIawKBgB9k\nZcOuB7XzVEJspl4g3XLS+zlkIgpqhlSHsWkWhrMU5XZpIkQwyq9BfQ+hkkyHO7Qx\ncKsddik3HsZfqqdFYBusr9y0RQw/ehq9UmLBrcRWpdVW9ijdADzD0Acgwz8W9cYF\nAHJ9fSpe9+6WpUDuYAiR69tNiNXS3X36oKCXagUJAoGBANe1D/76Gf+5VySP/eWX\nZvE5CZdq7pIw0Jw9uZ32sOX5Nr4q749DRF7nd8a+MqmGk1ahUnHI8YTJ6CuuCcmv\nYU6daxQoOy6KD5MUI+9iyTs6vylFkMnx/92cmebBHf6MuMSMvs/9tcs5GeCgvH8v\n1y+LOKbfzqvgRB5eFdYfqBdC\n-----END PRIVATE KEY-----\n",
+  "client_email": "firebase-adminsdk-fbsvc@mywhatsapp-inta.iam.gserviceaccount.com",
+  "client_id": "105879704602817836440",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-fbsvc%40mywhatsapp-inta.iam.gserviceaccount.com",
+  "universe_domain": "googleapis.com"
+}
diff --git a/whatsapp_bridge/package.json b/whatsapp_bridge/package.json
index 936d41a..ed89661 100644
--- a/whatsapp_bridge/package.json
+++ b/whatsapp_bridge/package.json
@@ -14,6 +14,7 @@
   "author": "Antigravity Dev Team",
   "license": "ISC",
   "dependencies": {
+    "dotenv": "^16.4.5",
     "express": "^4.18.2",
     "firebase-admin": "^11.11.1",
     "puppeteer": "^21.0.0",
diff --git a/whatsapp_bridge/server.js b/whatsapp_bridge/server.js
index e5af63e..f519c2f 100644
--- a/whatsapp_bridge/server.js
+++ b/whatsapp_bridge/server.js
@@ -16,26 +16,54 @@ const app = express();
 const server = http.createServer(app);
 const wss = new WebSocketServer({ server });
 
-// ─── Firebase Admin SDK Configuration (Optional Background Pushes) ─────────
+// Load environment variables from .env file
+require('dotenv').config();
+
+// ─── Firebase Admin SDK Configuration (Highly Secure Background Pushes) ─────
 const admin = require('firebase-admin');
 const path = require('path');
 const fs = require('fs');
 
 let firebaseApp = null;
-const serviceAccountPath = path.join(__dirname, 'serviceAccountKey.json');
 
-if (fs.existsSync(serviceAccountPath)) {
-  try {
-    const serviceAccount = require(serviceAccountPath);
+// Support three secure options:
+// 1. Raw JSON string in environment variable (FIREBASE_SERVICE_ACCOUNT)
+// 2. Custom secure file path in environment variable (FIREBASE_SERVICE_ACCOUNT_PATH)
+// 3. Fallback local file ignored by Git (serviceAccountKey.json)
+const envServiceAccount = process.env.FIREBASE_SERVICE_ACCOUNT;
+const envServiceAccountPath = process.env.FIREBASE_SERVICE_ACCOUNT_PATH;
+const localServiceAccountPath = path.join(__dirname, 'serviceAccountKey.json');
+
+try {
+  if (envServiceAccount) {
+    let serviceAccount;
+    if (envServiceAccount.trim().startsWith('{')) {
+      serviceAccount = JSON.parse(envServiceAccount);
+      console.log('[FCM] Initializing Firebase Admin SDK via direct env JSON string...');
+    } else {
+      serviceAccount = require(envServiceAccount);
+      console.log(`[FCM] Initializing Firebase Admin SDK via custom path from env: ${envServiceAccount}`);
+    }
     firebaseApp = admin.initializeApp({
       credential: admin.credential.cert(serviceAccount)
     });
-    console.log('[FCM] Firebase Admin SDK initialized successfully using serviceAccountKey.json');
-  } catch (err) {
-    console.error('[FCM ERROR] Failed to initialize Firebase Admin SDK:', err.message);
+  } else if (envServiceAccountPath && fs.existsSync(envServiceAccountPath)) {
+    console.log(`[FCM] Initializing Firebase Admin SDK via secure custom path: ${envServiceAccountPath}`);
+    const serviceAccount = require(envServiceAccountPath);
+    firebaseApp = admin.initializeApp({
+      credential: admin.credential.cert(serviceAccount)
+    });
+  } else if (fs.existsSync(localServiceAccountPath)) {
+    console.log('[FCM] Initializing Firebase Admin SDK via fallback local serviceAccountKey.json...');
+    const serviceAccount = require(localServiceAccountPath);
+    firebaseApp = admin.initializeApp({
+      credential: admin.credential.cert(serviceAccount)
+    });
+  } else {
+    console.warn('[FCM WARNING] No Firebase Service Account found in environment or local files. Background push notifications will be disabled.');
   }
-} else {
-  console.warn('[FCM WARNING] serviceAccountKey.json not found in server directory. Background push notifications will be disabled.');
+} catch (err) {
+  console.error('[FCM ERROR] Failed to initialize Firebase Admin SDK:', err.message);
 }
 
 async function sendPushNotification(chatId, senderName, body) {