In-memory singleton Valyu client shares a single API key across all requests #40
Description
- Context: Cloud
- Category: Vulnerability (Credential Sharing / Isolation)
- Severity: Medium
Evidence
// lib/valyu.ts
let valyuInstance: Valyu | null = null;
function getValyuClient(): Valyu {
if (!valyuInstance) {
const apiKey = process.env.VALYU_API_KEY;
valyuInstance = new Valyu(apiKey);
}
return valyuInstance;
}The same pattern is duplicated in app/api/deepresearch/route.ts and app/api/deepresearch/[taskId]/route.ts. In self-hosted mode every user's request uses the same organization API key — there is no per-user credential isolation. One user's heavy usage directly impacts all other users' available credits.
In serverless/edge deployments, module-level state (valyuInstance, accessToken, cachedFlights, cachedBases) may be shared across concurrent requests in the same isolate, leading to race conditions on token refresh.
Affected files: lib/valyu.ts, app/api/deepresearch/route.ts, app/api/deepresearch/[taskId]/route.ts, app/api/military-flights/route.ts