FROM CACHE - en_header

Does ApolloProvider expose my API_KEY?

CRandyHill
Excursionist
17 0 5
‎08-08-2020 05:01 PM

Does ApolloProvider expose my API_KEY?

This is a newb question for sure. I built my app based on this tutorial, and it's working well so far. 

https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-react/fetch-data-with-apollo

But while upgrading to Typescript, I'm just noticing this section of code (since typescript doesn't known what API_KEY is).

class MyApp extends App {
  render() {
    const { Component, pageProps } = this.props;
    const config = { apiKey: API_KEY, shopOrigin: Cookies.get("shopOrigin"), forceRedirect: true };
    return (
      <React.Fragment>
        <Head>
          <title>Sample App</title>
          <meta charSet="utf-8" />
        </Head>
       <Provider config={config}>
          <AppProvider>
          <Component {...pageProps} />
          <ApolloProvider client={client}>
            <Component {...pageProps} />
          </ApolloProvider>
          </AppProvider>
        </Provider>
      </React.Fragment>
    );
  }
}

 

It appears that Next.js is fetching the API_KEY from my .env file on the server and inserting it into a client-side page? Is this a security issue I need to fix, or am I misunderstanding what's going on here?

384 Views
0 Likes
Report
Replies 2 (2)
AndyPicamaze
Explorer
41 1 15
‎08-09-2020 12:12 AM

Re: Does ApolloProvider expose my API_KEY?

Hi, 

If you run 'npm run build' and then 'grep -r API_KEY .' you'll see that the API_KEY is exposed. The only use of it I was able to see is to get redirected to the embedded app url if you try to access any page directly (e.g app.mybackend.com/page -> xxx.myshopify.com/admin/apps/API_KEY ). This behaviour is controlled with forceRedirect config param.

When you create an app from your Partners dashboard it has a handle assigned and the app can be accessed by appending the handle to the url (e.g xxx.myshopify.com/admin/apps/picamaze in my case). I haven't tested it in production but my guess is that if you put apiKey: your_product_handle will work.

Wondering what security issues you might have exposing just the API key without the password?

Good luck.

https://apps.shopify.com/picamaze
Animated watermarks for product images and ads
347 Views
Report
CRandyHill
Excursionist
17 0 5
‎08-09-2020 03:38 PM

Re: Does ApolloProvider expose my API_KEY?

Andy,

Thanks! This was very helpful. Didn't want to be alarmist, just to better understand possible security issues.

best,

Randy

311 Views
0 Likes
Report

Community Blog Articles

E23_social share_1200x6751.jpg
Shopify Community AMA: Winter Editions ‘23 Recap

Thanks to all Community members that participated in our inaugural 2 week AMA on the new E...

By Jacqui Mar 10, 2023
shopify-academy-foundations-certification-16-9-v1-size.png
Introducing Shopify Certifications

Upskill and stand out with the new Shopify Foundations Certification program

By SarahF_Shopify Mar 6, 2023
notebook-and-coffee.jpg
Adding and Creating Store Policies

One of the key components to running a successful online business is having clear and co...

By Ollie Mar 6, 2023
Terms of Service Privacy Policy