aiolabs/webapp
8
0
Fork 0
Code Issues 65 Pull requests Projects Releases Packages Wiki Activity Actions

Pre-commit secret-scan hook: false positive on prvkey field accesses #35

New issue
Open
opened 2026-05-02 13:38:39 +00:00 by padreug · 0 comments
padreug commented 2026-05-02 13:38:39 +00:00
Owner
Copy link

The pre-commit hook that scans for secrets (pattern: PRIVATE KEY) flags field-access references like authService.user.value.prvkey and auth.currentUser.value?.prvkey as potential secrets. These are TypeScript property accesses on the user object — not literal key material — and they're scattered across the codebase (e.g. src/modules/market/composables/useMarket.ts:402-413).

Reproduction

Stage any unrelated change to src/modules/market/composables/useMarket.ts and run git commit:

ERROR: potential secret in src/modules/market/composables/useMarket.ts (pattern: PRIVATE KEY)
commit blocked: 1 potential secret(s) detected
false positive? use: git commit --no-verify

The flagged content is unchanged from previous commits — the hook scans the whole file, not just the diff hunks.

Impact

Forces --no-verify on legitimate commits that touch this file or any other file referencing the prvkey field. That defeats the hook's value (it's habituating bypassing) and conflicts with the policy of never skipping hooks.

Last triggered: commit 73b67d2 (feat(market): public browse mode + auth toast at checkout), bypassed with --no-verify.

Suggested fixes

Pick one or combine:

  1. Allowlist the field name. Add prvkey to whatever ignore list the hook uses (likely a .gitleaks.toml, .secrets.baseline, or .detect-secrets.yaml file at the repo root — needs locating).
  2. Scan the diff, not the file. Most secret scanners support --staged / unified-diff mode so they only look at lines being added.
  3. Tighten the PRIVATE KEY regex so it requires the literal Bitcoin/Nostr/PEM prefix (e.g. -----BEGIN PRIVATE KEY----- or nsec1...) rather than just the substring prvkey.
  4. Rename the field. prvkeyprivateKey (long-form) elsewhere in the codebase so the substring no longer matches the hook's pattern. Larger blast radius but produces a hook that stays useful.

Notes

  • The prvkey field is on the NostrUser interface (likely in src/lib/api/lnbits.ts or src/modules/base/auth/types.ts); it stores the user's actual Nostr private key in browser memory. So the hook's intent is right — keep an eye on this field — but the line-level heuristic is wrong.
  • Issue tracked from the market public-browse work; not blocking that change.
The pre-commit hook that scans for secrets (pattern: `PRIVATE KEY`) flags field-access references like `authService.user.value.prvkey` and `auth.currentUser.value?.prvkey` as potential secrets. These are TypeScript property accesses on the user object — not literal key material — and they're scattered across the codebase (e.g. `src/modules/market/composables/useMarket.ts:402-413`). ## Reproduction Stage any unrelated change to `src/modules/market/composables/useMarket.ts` and run `git commit`: ``` ERROR: potential secret in src/modules/market/composables/useMarket.ts (pattern: PRIVATE KEY) commit blocked: 1 potential secret(s) detected false positive? use: git commit --no-verify ``` The flagged content is unchanged from previous commits — the hook scans the whole file, not just the diff hunks. ## Impact Forces `--no-verify` on legitimate commits that touch this file or any other file referencing the `prvkey` field. That defeats the hook's value (it's habituating bypassing) and conflicts with the policy of never skipping hooks. Last triggered: commit 73b67d2 (`feat(market): public browse mode + auth toast at checkout`), bypassed with --no-verify. ## Suggested fixes Pick one or combine: 1. **Allowlist the field name.** Add `prvkey` to whatever ignore list the hook uses (likely a `.gitleaks.toml`, `.secrets.baseline`, or `.detect-secrets.yaml` file at the repo root — needs locating). 2. **Scan the diff, not the file.** Most secret scanners support `--staged` / unified-diff mode so they only look at lines being added. 3. **Tighten the `PRIVATE KEY` regex** so it requires the literal Bitcoin/Nostr/PEM prefix (e.g. `-----BEGIN PRIVATE KEY-----` or `nsec1...`) rather than just the substring `prvkey`. 4. **Rename the field.** `prvkey` → `privateKey` (long-form) elsewhere in the codebase so the substring no longer matches the hook's pattern. Larger blast radius but produces a hook that stays useful. ## Notes - The `prvkey` field is on the `NostrUser` interface (likely in `src/lib/api/lnbits.ts` or `src/modules/base/auth/types.ts`); it stores the user's actual Nostr private key in browser memory. So the hook's intent is right — keep an eye on this field — but the line-level heuristic is wrong. - Issue tracked from the market public-browse work; not blocking that change.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dev
No results found.
Labels
Clear labels   
app:activities
Standalone Sortir activities app

  
app:chat
Standalone chat app

  
app:events

   
app:forum

   
app:libra

   
app:market
Standalone marketplace app

  
app:restaurant

   
app:tasks

   
app:wallet
Standalone wallet app

  
app:webapp
Main webapp (all modules)

  
bug
Something is not working

  
enhancement
New feature or improvement

No labels
app:activities
app:chat
app:events
app:forum
app:libra
app:market
app:restaurant
app:tasks
app:wallet
app:webapp
bug
enhancement
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
aiolabs/webapp#35
No description provided.