remove note - question on GraphQL

[ViolanteCodes]

• This note is not good, since the API token is read-only and we are not concerned about it being leaked https://github.com/ButterCMS/gatsby-applifting/blob/80901a171006d073436bb2cf59c0a06fe98f80d5/src/templates/blog.js#L24 So does it mean that we could implement search using graphql or not?

[prokopsimek]

I removed the comment in the source code.

I disagree that it's secure to use the token on the client-side if it is read-only. Any draft data can contain any private notes and you can't leak users' data from ButterCMS to the public.

There are 2 ways of search implementation on the client-side:

1. GQL won't need an API token, because all published blog posts or pages are public. But there must be any other ID of the project - e.g. project id.
2. Change the behavior of the API token that by default it's not possible to list draft data.

[ViolanteCodes]

@orlyohreally I've moved this onto a separate board I'm keeping for "things for farther review later"?

[orlyohreally]

I disagree that it's secure to use the token on the client-side if it is read-only. Any draft data can contain any private notes and you can't leak users' data from ButterCMS to the public.

I agree but since we define preview mode via env variable the builds for draft versions and published ones are going to be two different apps so it's the user who will need to make sure that their 'preview' app is available only to restricted users. Do you agree?

[ViolanteCodes]

Closing as note has been removed and underlying issue to be analyzed has been moved to another board