FROM CACHE - en_header

Does ApolloProvider expose my API_KEY?

CRandyHill
Excursionist
17 0 5
‎08-08-2020 05:01 PM

This is a newb question for sure. I built my app based on this tutorial, and it's working well so far. 

https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-react/fetch-data-with-apollo

But while upgrading to Typescript, I'm just noticing this section of code (since typescript doesn't known what API_KEY is).

class MyApp extends App {
  render() {
    const { Component, pageProps } = this.props;
    const config = { apiKey: API_KEY, shopOrigin: Cookies.get("shopOrigin"), forceRedirect: true };
    return (
      <React.Fragment>
        <Head>
          <title>Sample App</title>
          <meta charSet="utf-8" />
        </Head>
       <Provider config={config}>
          <AppProvider>
          <Component {...pageProps} />
          <ApolloProvider client={client}>
            <Component {...pageProps} />
          </ApolloProvider>
          </AppProvider>
        </Provider>
      </React.Fragment>
    );
  }
}

 

It appears that Next.js is fetching the API_KEY from my .env file on the server and inserting it into a client-side page? Is this a security issue I need to fix, or am I misunderstanding what's going on here?

425 Views
0 Likes
Report
Replies 2 (2)
AndyPicamaze
Explorer
41 1 15
‎08-09-2020 12:12 AM

Hi, 

If you run 'npm run build' and then 'grep -r API_KEY .' you'll see that the API_KEY is exposed. The only use of it I was able to see is to get redirected to the embedded app url if you try to access any page directly (e.g app.mybackend.com/page -> xxx.myshopify.com/admin/apps/API_KEY ). This behaviour is controlled with forceRedirect config param.

When you create an app from your Partners dashboard it has a handle assigned and the app can be accessed by appending the handle to the url (e.g xxx.myshopify.com/admin/apps/picamaze in my case). I haven't tested it in production but my guess is that if you put apiKey: your_product_handle will work.

Wondering what security issues you might have exposing just the API key without the password?

Good luck.

https://apps.shopify.com/picamaze
Animated watermarks for product images and ads
388 Views
Report
In response to AndyPicamaze
CRandyHill
Excursionist
17 0 5
‎08-09-2020 03:38 PM

Andy,

Thanks! This was very helpful. Didn't want to be alarmist, just to better understand possible security issues.

best,

Randy

352 Views
0 Likes
Report

Community Blog Articles

Skye_0-1685651890195.png
Creating a Shopify Store: The Importance Of Choosing The Right Theme

As a business owner, have you ever wondered when your customer's first impression of yo...

By Skye Jun 6, 2023
31-54-5hg9c-2x272
Community Update! Threading Improvements

We're excited to announce improvements to the threaded messaging experience in our communi...

By TyW May 31, 2023
crowd-participating-at-event.jpg
We Answered Your Questions to Help You Get the Most Out of Your Shopify <> ...

Thank you to everyone who participated in our AMA with Klaviyo. It was great to see so man...

By Jacqui May 30, 2023
Terms of Service Privacy Policy