fix(security): remove hardcoded API key references and standardize environment variables (#143)

Author: jaypatrick

.env.example

@@ -2,12 +2,30 @@
 # Environment Variables for ad-blocking toolkit
 # Copy this file to .env and fill in your values
 # =============================================================================
+# SECURITY: Never commit .env files with real credentials!
+# This file is tracked in git as an example. Your .env file is gitignored.
+# =============================================================================
 
 # Debug mode (set to any value to enable)
 DEBUG=
 
-# AdGuard DNS API Key (for Console UI)
-ADGUARD_API_KEY=
+# =============================================================================
+# AdGuard DNS API Configuration
+# =============================================================================
+# Use ONE of the following formats (ADGUARD_AdGuard__ApiKey is recommended
+# for cross-platform compatibility across .NET, TypeScript, Rust, etc.):
+#
+# Recommended (cross-platform format - works with C#, TypeScript, Rust CLI, and others):
+ADGUARD_AdGuard__ApiKey=
+#
+# Alternative (TypeScript/JavaScript fallback for existing configs; new projects
+# should prefer ADGUARD_AdGuard__ApiKey, but the TypeScript client supports both):
+# ADGUARD_API_KEY=
+#
+# Legacy (Rust CLI only, deprecated):
+# ADGUARD_API_TOKEN=
 
-# Linear API Key (for Linear import scripts)
+# =============================================================================
+# Linear Integration (for Linear import scripts in src/linear/)
+# =============================================================================
 LINEAR_API_KEY=

src/adguard-api-dotnet/src/AdGuard.ConsoleUI/appsettings.json

@@ -1,6 +1,5 @@
 {
   "AdGuard": {
-    "ApiKey": "",
     "BaseUrl": "https://api.adguard-dns.io/oapi/v1"
   }
 }

src/adguard-api-typescript/jest.config.js …c/adguard-api-typescript/jest.config.cjssrc/adguard-api-typescript/jest.config.js renamed to src/adguard-api-typescript/jest.config.cjs src/adguard-api-typescript/jest.config.js renamed to src/adguard-api-typescript/jest.config.cjs

@@ -1,9 +1,18 @@
 /** @type {import('jest').Config} */
 module.exports = {
-  preset: 'ts-jest',
+  preset: 'ts-jest/presets/default-esm',
   testEnvironment: 'node',
   roots: ['<rootDir>/src', '<rootDir>/tests'],
   testMatch: ['**/*.test.ts'],
+  extensionsToTreatAsEsm: ['.ts'],
+  transform: {
+    '^.+\\.tsx?$': [
+      'ts-jest',
+      {
+        useESM: true,
+      },
+    ],
+  },
   collectCoverageFrom: [
     'src/**/*.ts',
     '!src/**/*.d.ts',
@@ -20,6 +29,7 @@ module.exports = {
     },
   },
   moduleNameMapper: {
+    '^(\\.{1,2}/.*)\\.js$': '$1',
     '^@/(.*)$': '<rootDir>/src/$1',
   },
   setupFilesAfterEnv: ['<rootDir>/tests/setup.ts'],

src/adguard-api-typescript/src/client.ts

@@ -81,14 +81,33 @@ export class ApiClientFactory {
 
   /**
    * Configure from environment variable
-   * @param envVar - Environment variable name (default: ADGUARD_API_KEY)
+   *
+   * Supports multiple environment variable naming conventions:
+   * - .NET-compatible format: ADGUARD_AdGuard__ApiKey (recommended, tried first)
+   * - Legacy/alternative format: ADGUARD_API_KEY (fallback)
+   *
+   * @param envVar - Custom environment variable name (overrides default lookup)
    * @param logger - Optional logger
    */
-  configureFromEnv(envVar: string = 'ADGUARD_API_KEY', logger?: Logger): void {
-    const apiKey = process.env[envVar];
-    if (!apiKey) {
-      throw new Error(`Environment variable ${envVar} is not set`);
+  configureFromEnv(envVar?: string, logger?: Logger): void {
+    let apiKey: string | undefined;
+
+    if (envVar) {
+      // Use explicitly provided environment variable name
+      apiKey = process.env[envVar];
+      if (!apiKey) {
+        throw new Error(`Environment variable ${envVar} is not set`);
+      }
+    } else {
+      // Try .NET-compatible format first, then fallback to legacy format
+      apiKey = process.env['ADGUARD_AdGuard__ApiKey'] ?? process.env['ADGUARD_API_KEY'];
+      if (!apiKey) {
+        throw new Error(
+          'API key not configured. Set ADGUARD_AdGuard__ApiKey (recommended) or ADGUARD_API_KEY environment variable.'
+        );
+      }
     }
+
     this.configure(apiKey, logger);
   }
 
@@ -239,14 +258,33 @@ export class AdGuardDnsClient {
 
   /**
    * Create client from environment variable
-   * @param envVar - Environment variable name (default: ADGUARD_API_KEY)
+   *
+   * Supports multiple environment variable naming conventions:
+   * - .NET-compatible format: ADGUARD_AdGuard__ApiKey (recommended, tried first)
+   * - Legacy/alternative format: ADGUARD_API_KEY (fallback)
+   *
+   * @param envVar - Custom environment variable name (overrides default lookup)
    * @param logger - Optional logger
    */
-  static fromEnv(envVar: string = 'ADGUARD_API_KEY', logger?: Logger): AdGuardDnsClient {
-    const apiKey = process.env[envVar];
-    if (!apiKey) {
-      throw new Error(`Environment variable ${envVar} is not set`);
+  static fromEnv(envVar?: string, logger?: Logger): AdGuardDnsClient {
+    let apiKey: string | undefined;
+
+    if (envVar) {
+      // Use explicitly provided environment variable name
+      apiKey = process.env[envVar];
+      if (!apiKey) {
+        throw new Error(`Environment variable ${envVar} is not set`);
+      }
+    } else {
+      // Try .NET-compatible format first, then fallback to legacy format
+      apiKey = process.env['ADGUARD_AdGuard__ApiKey'] ?? process.env['ADGUARD_API_KEY'];
+      if (!apiKey) {
+        throw new Error(
+          'API key not configured. Set ADGUARD_AdGuard__ApiKey (recommended) or ADGUARD_API_KEY environment variable.'
+        );
+      }
     }
+
     return AdGuardDnsClient.withApiKey(apiKey, logger);
   }
 

src/adguard-api-typescript/tests/client.test.ts

@@ -26,13 +26,57 @@ describe('AdGuardDnsClient', () => {
   });
 
   describe('fromEnv', () => {
-    it('should create client from environment variable', () => {
+    it('should create client from custom environment variable', () => {
       process.env.TEST_API_KEY = 'test-key';
       const client = AdGuardDnsClient.fromEnv('TEST_API_KEY');
       expect(client).toBeInstanceOf(AdGuardDnsClient);
       delete process.env.TEST_API_KEY;
     });
 
+    it('should prefer ADGUARD_AdGuard__ApiKey when no envVar specified', () => {
+      const originalDotNet = process.env.ADGUARD_AdGuard__ApiKey;
+      const originalLegacy = process.env.ADGUARD_API_KEY;
+
+      process.env.ADGUARD_AdGuard__ApiKey = 'dotnet-format-key';
+      process.env.ADGUARD_API_KEY = 'legacy-format-key';
+
+      const client = AdGuardDnsClient.fromEnv();
+      expect(client).toBeInstanceOf(AdGuardDnsClient);
+
+      // Restore original values
+      if (originalDotNet !== undefined) {
+        process.env.ADGUARD_AdGuard__ApiKey = originalDotNet;
+      } else {
+        delete process.env.ADGUARD_AdGuard__ApiKey;
+      }
+      if (originalLegacy !== undefined) {
+        process.env.ADGUARD_API_KEY = originalLegacy;
+      } else {
+        delete process.env.ADGUARD_API_KEY;
+      }
+    });
+
+    it('should fallback to ADGUARD_API_KEY when ADGUARD_AdGuard__ApiKey not set', () => {
+      const originalDotNet = process.env.ADGUARD_AdGuard__ApiKey;
+      const originalLegacy = process.env.ADGUARD_API_KEY;
+
+      delete process.env.ADGUARD_AdGuard__ApiKey;
+      process.env.ADGUARD_API_KEY = 'legacy-format-key';
+
+      const client = AdGuardDnsClient.fromEnv();
+      expect(client).toBeInstanceOf(AdGuardDnsClient);
+
+      // Restore original values
+      if (originalDotNet !== undefined) {
+        process.env.ADGUARD_AdGuard__ApiKey = originalDotNet;
+      }
+      if (originalLegacy !== undefined) {
+        process.env.ADGUARD_API_KEY = originalLegacy;
+      } else {
+        delete process.env.ADGUARD_API_KEY;
+      }
+    });
+
     it('should throw when env var not set', () => {
       expect(() => AdGuardDnsClient.fromEnv('NONEXISTENT_VAR')).toThrow();
     });

src/adguard-api-typescript/tests/helpers/retry.test.ts

@@ -2,8 +2,7 @@
  * Retry policy helper tests
  */
 
-/// <reference types="jest" />
-
+import { jest } from '@jest/globals';
 import { AxiosError } from 'axios';
 import {
   executeWithRetry,

src/adguard-api-typescript/tests/rules-compiler-integration.test.ts

@@ -2,6 +2,7 @@
  * Rules compiler integration tests
  */
 
+import { jest } from '@jest/globals';
 import { RulesCompilerIntegration } from '../src/rules-compiler-integration';
 import { UserRulesRepository } from '../src/repositories/user-rules';
 import { DnsServerRepository } from '../src/repositories/dns-server';

src/adguard-api-typescript/tests/setup.ts

@@ -1,11 +1,17 @@
 /**
  * Jest test setup file
+ *
+ * IMPORTANT: This file sets up test-only mock values.
+ * These are NOT real credentials and are only used for unit testing.
  */
 
-/// <reference types="jest" />
+import { jest } from '@jest/globals';
 
 // Increase timeout for integration tests
 jest.setTimeout(30000);
 
-// Mock environment variables for tests
-process.env.ADGUARD_API_KEY = process.env.ADGUARD_API_KEY || 'test-api-key';
+// Set test-only mock API key for unit tests (NOT a real credential)
+// Real integration tests should use actual credentials from environment
+const TEST_MOCK_API_KEY = 'test-mock-api-key-for-unit-tests';
+process.env.ADGUARD_API_KEY = process.env.ADGUARD_API_KEY || TEST_MOCK_API_KEY;
+process.env.ADGUARD_AdGuard__ApiKey = process.env.ADGUARD_AdGuard__ApiKey || TEST_MOCK_API_KEY;