If I for example what to use the GIthub API, I don't want to expose my secret? How would I do that?
kevinsimper
All 16 comments
@kevinsimper you can use Hashicorp Vault to store your secret key.
ghost
on 27 Oct 2016
But I was talking about client/server? How does vault prevent that?
kevinsimper
on 27 Oct 2016
I think one way of doing it is by setting environment variables.
And then you can use process.env.GITHUB_API_KEY for example (only available from the server side)
Atinux
on 27 Oct 2016
That won't work either. You need an api to proxy those requests to github.
luisrudge
on 27 Oct 2016
You will need to proxy calls to you server api.
mping
on 27 Oct 2016
environment variables should work.
nkzawa
on 14 Nov 2016
Would like to reopen this as environment variable will work on the first request, however, navigating using <Link> would make process.env.VAR undefined in the browser.
Any workarounds?
416serg
on 10 Feb 2017
@416serg This is the way to go on that :smile: https://github.com/zeit/next.js/tree/master/examples/with-universal-configuration
timneutkens
on 11 Feb 2017
@timneutkens Thanks Tim!
I've set that up for it to work, which is awesome, however, I still am worried about passing secret keys to it as when I inspect the page with this structure, I still see the key on client.
Example:
env-config.js
const prod = process.env.NODE_ENV === 'production'
module.exports = {
'API_KEY': prod ? 'companySecret' : 'companySecret'
}
index.js
/* global API_KEY */
import React from 'react'
import { Jumbotron, Button } from 'react-bootstrap'
import Link from 'next/link'
import 'isomorphic-fetch'
import Layout from '../components/layout'
import JobList from '../components/joblist'
export default class HomePage extends React.Component {
static async getInitialProps () {
console.log(API_KEY)
const res = await fetch(`https://api.lever.co/v0/postings/${API_KEY}`)
const json = await res.json()
return { jobs: json }
}
render () {
return (
<Layout title="Careers at ClearCapital">
<Jumbotron>
<h1>Work at ClearCapital</h1>
</Jumbotron>
<JobList jobs={this.props.jobs} />
</Layout>
)
}
}
Is there anything I can do to avoid exposing the secret key to the client, yet still have the functionality to go back and forth between <Link/>s
Thanks again! 馃槃
416serg
on 13 Feb 2017
@416serg the best thing you can do in that case is move the api call into a microservice and call that microservice. Possibly using https://github.com/zeit/micro 馃憤
timneutkens
on 13 Feb 2017
@timneutkens is there an example where I can see how to connect to a micro service from my nextjs app?
416serg
on 13 Feb 2017
@416serg you would simply use fetch as normal
https://github.com/zeit/next.js/tree/master/examples/data-fetch
tim-phillips
on 2 Mar 2017
@416serg I believe you could use browserify transforms (bpb || inline-process-browser) && unreachable-branch-transform (with transform-loader of course, to adapt them for use with webpack)
mattbrunetti
on 24 May 2017
@mattbrunetti though that would mean the secret is in the browser. If the browser has the secret, the user has the secret.
tim-phillips
on 25 May 2017
@babenzele The combination is used to strip server-side-only code from your browser build.
source: const secret = process.browser ? 'nope, sorry' : 'I liked The Notebook'
after bpb: const secret = true ? 'nope, sorry' : 'I liked The Notebook'
after unreachable-branch-transform: const secret = 'nope, sorry'
mattbrunetti
on 25 May 2017
@babenzele If you're using a a minifier like uglify i guess that would do the job of the second transform
mattbrunetti
on 25 May 2017
Related issues
rauchg
路
3Comments
pie6k
路
3Comments
swrdfish
路
3Comments
formula349
路
3Comments
timneutkens
路
3Comments
Most helpful comment
@babenzele The combination is used to strip server-side-only code from your browser build.
source:
const secret = process.browser ? 'nope, sorry' : 'I liked The Notebook'after bpb:
const secret = true ? 'nope, sorry' : 'I liked The Notebook'after unreachable-branch-transform:
const secret = 'nope, sorry'