Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions site/public/robots.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
User-agent: *
Allow: /
Disallow: /_assets/

Sitemap: https://synthorg.io/sitemap-index.xml
Sitemap: https://synthorg.io/docs/sitemap.xml
9 changes: 9 additions & 0 deletions site/src/components/ContactForm.astro
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@
></textarea>
</div>

<input type="hidden" id="captchaResponse" name="g-recaptcha-response" />

<button
type="submit"
id="contact-submit"
Expand Down Expand Up @@ -106,6 +108,13 @@
errorMsg.classList.add("hidden");

try {
// Get fresh reCAPTCHA v3 token before submission
if (typeof grecaptcha !== "undefined") {
const token = await grecaptcha.execute("6LdQkossAAAAADwxZo5bt8p6az7P3M6I_8k4_ypu", { action: "contact" });

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This reCAPTCHA site key is hardcoded. To improve security and maintainability, it's best to avoid hardcoding keys. Instead, you should load it from an environment variable and pass it to this client-side script.

A common pattern in Astro is to:

  1. Read the environment variable in the component's frontmatter (e.g., const recaptchaSiteKey = import.meta.env.PUBLIC_RECAPTCHA_SITE_KEY;).
  2. Pass it to the template via a data attribute on the form: <form data-recaptcha-key={recaptchaSiteKey} ...>.
  3. Access it in the script via form.dataset.recaptchaKey.

Remember to also add a check to ensure form.dataset.recaptchaKey is available before using it.

          const token = await grecaptcha.execute(form.dataset.recaptchaKey, { action: "contact" });

Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
const captchaInput = form.querySelector<HTMLInputElement>("#captchaResponse");
if (captchaInput) captchaInput.value = token;
}
Comment thread
coderabbitai[bot] marked this conversation as resolved.

const res = await fetch(form.action, {
method: "POST",
body: new FormData(form),
Expand Down
6 changes: 5 additions & 1 deletion site/src/layouts/Base.astro
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,12 @@ const canonicalUrl = Astro.url;
</noscript>
</head>
<body class="bg-[#0F1219] text-white font-['Inter',sans-serif] antialiased">
<slot />
<main>
<slot />
</main>
Comment thread
coderabbitai[bot] marked this conversation as resolved.
<!-- GitHub buttons (https://buttons.github.io/) -->
<script async defer src="https://buttons.github.io/buttons.js"></script>
<!-- Google reCAPTCHA v3 (contact form spam protection) -->
<script async defer src="https://www.google.com/recaptcha/api.js?render=6LdQkossAAAAADwxZo5bt8p6az7P3M6I_8k4_ypu"></script>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Hardcoding API keys, even public ones like a reCAPTCHA site key, is not recommended. It makes managing keys across different environments (e.g., development, production) difficult and error-prone. Please store this key in an environment variable and access it using Astro's import.meta.env feature. Remember that public client-side environment variables must be prefixed with PUBLIC_.

    <script async defer src={`https://www.google.com/recaptcha/api.js?render=${import.meta.env.PUBLIC_RECAPTCHA_SITE_KEY}`}></script>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Consider extracting the reCAPTCHA site key to a shared constant.

The site key 6LdQkossAAAAADwxZo5bt8p6az7P3M6I_8k4_ypu is duplicated here and in ContactForm.astro (line 113). If the key ever changes, both locations need updating.

Consider defining it once (e.g., in an environment variable or a shared config) and referencing it in both places.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@site/src/layouts/Base.astro` around lines 72 - 73, Extract the hard-coded
reCAPTCHA site key into a single shared constant (for example
PUBLIC_RECAPTCHA_SITE_KEY) and reference that constant in both Base.astro and
ContactForm.astro; implement it by placing the key in an environment variable
exposed to the client (e.g., via import.meta.env.PUBLIC_RECAPTCHA_SITE_KEY) or a
shared config module, then replace the inline literal in Base.astro's script src
and the literal used in ContactForm.astro (line ~113) with the shared variable
(e.g., use ?render=${PUBLIC_RECAPTCHA_SITE_KEY}) so updates happen in one place.

</body>
</html>
Loading