cal/paper-dynasty-card-creation
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: load API bearer token from env var instead of hardcoding (#2) #44

Closed
Claude wants to merge 1 commits from ai/paper-dynasty-card-creation-2 into main
pull from: ai/paper-dynasty-card-creation-2
merge into: cal:main
Conversation 0 Commits 1 Files Changed 3 +16 -6
Claude commented 2026-03-21 08:33:48 +00:00
Collaborator
Copy Link

Closes #2

Summary

Removes the hardcoded PD_API_TOKEN bearer token from source files and loads it from the environment instead.

Changes

  • db_calls.py: Added import os, from dotenv import load_dotenv, call load_dotenv() at module level, replaced hardcoded token with os.environ.get('PD_API_TOKEN', '')
  • .claude/ops-rework/check_prod_missing_ratings.py: Same pattern applied
  • pyproject.toml: Added python-dotenv>=1.0.0 as a dependency

How it works

The .env file (already present and gitignored) contains:

PD_API_TOKEN=<token>

load_dotenv() loads this file when present, so local dev works automatically. In CI/production, the env var should be set directly.

Other observations

  • The old token Tp3aO3jhYve5NJF1IqOmJTmk was already committed to git history — Cal should consider rotating it in the Paper Dynasty API admin panel.
Closes #2 ## Summary Removes the hardcoded `PD_API_TOKEN` bearer token from source files and loads it from the environment instead. ## Changes - **`db_calls.py`**: Added `import os`, `from dotenv import load_dotenv`, call `load_dotenv()` at module level, replaced hardcoded token with `os.environ.get('PD_API_TOKEN', '')` - **`.claude/ops-rework/check_prod_missing_ratings.py`**: Same pattern applied - **`pyproject.toml`**: Added `python-dotenv>=1.0.0` as a dependency ## How it works The `.env` file (already present and gitignored) contains: ``` PD_API_TOKEN=<token> ``` `load_dotenv()` loads this file when present, so local dev works automatically. In CI/production, the env var should be set directly. ## Other observations - The old token `Tp3aO3jhYve5NJF1IqOmJTmk` was already committed to git history — Cal should consider rotating it in the Paper Dynasty API admin panel.
Claude added 1 commit 2026-03-21 08:33:50 +00:00 
Closes #2

Removes hardcoded bearer token from db_calls.py and .claude/ops-rework/check_prod_missing_ratings.py.
Both files now call load_dotenv() and read PD_API_TOKEN from the environment.
The .env file (already gitignored) already contains the PD_API_TOKEN key.
Added python-dotenv>=1.0.0 to pyproject.toml dependencies.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude added the
ai-reviewing
 label 2026-03-21 08:45:49 +00:00
Claude reviewed 2026-03-21 08:46:52 +00:00
Claude left a comment
Author
Collaborator
Copy Link

AI Code Review

Files Reviewed

  • db_calls.py (modified)
  • .claude/ops-rework/check_prod_missing_ratings.py (modified)
  • pyproject.toml (modified)

Findings

Correctness

  • load_dotenv() is called at module level before AUTH_TOKEN is assigned in both files — ordering is correct.
  • os.environ.get('PD_API_TOKEN', '') falls back to an empty string if the var is unset, producing "Bearer " — API calls will fail with a 401/403. This is acceptable behavior (fails loudly enough in practice), but a startup warning log on empty token would improve DX.

Security

  • Primary fix is correct: hardcoded token Tp3aO3jhYve5NJF1IqOmJTmk is removed from source.
  • Token rotation still required — as the PR body notes, the token is in git history and must be rotated in the Paper Dynasty API admin panel to be fully remediated.
  • No new secrets introduced.

Style & Conventions

  • Several cosmetic f-string quote normalizations (outer single → outer double) are included in db_calls.py beyond the core credential fix (lines in get_req_url, log_return_value, player_desc). These are harmless but outside the stated scope of the PR.

Suggestions

  • Optional: add a warning when PD_API_TOKEN is empty so misconfigured environments surface a clear message rather than a silent 401: 
    load_dotenv()
_token = os.environ.get('PD_API_TOKEN', '')
if not _token:
    import logging; logging.getLogger(__name__).warning("PD_API_TOKEN is not set — API calls will fail")
AUTH_TOKEN = {"Authorization": f"Bearer {_token}"}

Verdict: COMMENT (LGTM)

Clean, correct fix. The pattern is applied consistently to both files, the dependency is properly declared, and the load ordering is right. Merge when the hardcoded token has been rotated in the API admin panel (git history remediation is a separate concern and doesn't need to block this PR).

Automated review by Claude PR Reviewer

## AI Code Review ### Files Reviewed - `db_calls.py` (modified) - `.claude/ops-rework/check_prod_missing_ratings.py` (modified) - `pyproject.toml` (modified) ### Findings #### Correctness - `load_dotenv()` is called at module level before `AUTH_TOKEN` is assigned in both files — ordering is correct. - `os.environ.get('PD_API_TOKEN', '')` falls back to an empty string if the var is unset, producing `"Bearer "` — API calls will fail with a 401/403. This is acceptable behavior (fails loudly enough in practice), but a startup warning log on empty token would improve DX. #### Security - Primary fix is correct: hardcoded token `Tp3aO3jhYve5NJF1IqOmJTmk` is removed from source. - **Token rotation still required** — as the PR body notes, the token is in git history and must be rotated in the Paper Dynasty API admin panel to be fully remediated. - No new secrets introduced. #### Style & Conventions - Several cosmetic f-string quote normalizations (outer single → outer double) are included in `db_calls.py` beyond the core credential fix (lines in `get_req_url`, `log_return_value`, `player_desc`). These are harmless but outside the stated scope of the PR. #### Suggestions - Optional: add a warning when `PD_API_TOKEN` is empty so misconfigured environments surface a clear message rather than a silent 401: ```python load_dotenv() _token = os.environ.get('PD_API_TOKEN', '') if not _token: import logging; logging.getLogger(__name__).warning("PD_API_TOKEN is not set — API calls will fail") AUTH_TOKEN = {"Authorization": f"Bearer {_token}"} ``` ### Verdict: COMMENT (LGTM) Clean, correct fix. The pattern is applied consistently to both files, the dependency is properly declared, and the load ordering is right. Merge when the hardcoded token has been rotated in the API admin panel (git history remediation is a separate concern and doesn't need to block this PR). --- *Automated review by Claude PR Reviewer*
Claude added
ai-reviewed
 and removed
ai-reviewing
 labels 2026-03-21 08:47:11 +00:00
cal closed this pull request 2026-03-23 03:50:17 +00:00

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
ai-merged

PR merged by AI ops agent

  
ai-pr-opened

   
ai-reviewed

   
ai-reviewing

   
ai-working
No Label
ai-merged
ai-pr-opened
ai-reviewed
ai-reviewing
ai-working
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/paper-dynasty-card-creation#44
No description provided.
Delete Branch "ai/paper-dynasty-card-creation-2"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?