Web3.Storage Access Key Is Published To The Client

[dysbulic]

What happened?

If you look at the sources sent to the client, it includes a configuration object that looks like:

{
  appEnv: eA.env.APP_ENV || "development",
  nodeEnv: "production",
  graphqlURL: "https://api.metagame.wtf/v1/graphql",
  infuraId: eA.env.NEXT_PUBLIC_INFURA_ID || "781d8466252d47508e177b8637b1c2fd",
  brightIdAppURL: eA.env.NEXT_BRIGHTID_APP_URL || "https://app.brightid.org",
  brightIdNodeURL: eA.env.NEXT_BRIGHTID_NODE_URL || "http:%2f%2fnode.brightid.org",
  publicURL: "https://metagame.wtf",
  gaId: "G-B1NKK3Q1BP",
  honeybadgerAPIKey: "hbp_2DxpssgdezjXwuKwGih237lnOkXWsD4FUOqE",
  get useHoneybadger() {
      return "production" === this.appEnv && !!this.honeybadgerAPIKey
  },
  userbackToken: "37882|74240|mjn1zXGiYaozZR6qmqFfjl9Sk",
  discordAPIBaseUrl: eA.env.DISCORD_API_BASE_URL || "https://discord.com/api/v8",
  ceramicURL: "https://ceramic.metagame.wtf",
  ceramicNetwork: eA.env.NEXT_PUBLIC_CERAMIC_NETWORK || "mainnet",
  googleDataAPIKey: "AIzaSyBxF0dE-OkUvWRFFxK6Y024gq4dyahd_yU",
  web3StorageToken: eA.env.NEXT_PUBLIC_WEB3_STORAGE_TOKEN,
  web3StorageKey: "MgCZa50IvgpP7ykO1ZyibcbvxplW+Sk5ERsB2YGZgPLNSmO0B63sdY+6lyvnvIgTxjkWlRJd24In+rLjGeY8ad8WG8xc=",
  web3StorageDID: "did:key:z6MkgSqgKhSscJfmSWvcBf4DmmRhGHnb5L3E3h4gMbRoA5Cw",
  web3StorageProof: eA.env.WEB3_STORAGE_PROOF,
  openseaAPIKey: "5fcc9afed4f042c4a3b6918d19a0fa60",
  alchemyAPIKey: eA.env.NEXT_PUBLIC_ALCHEMY_API_KEY,
  mainnetRPC: eA.env.NEXT_PUBLIC_MAINNET_RPC || "https://eth.llamarpc.com",
  calendarEndpoint: "/api/events",
  gcal: {
      calendarId: "nih59ktgafmm64ed4qk6ue8vv4",
      privateKey: null === (em = eA.env.GCAL_PRIVATE_KEY) || void 0 === em ? void 0 : em.replace(/\\n/g, "\n"),
      clientEmail: eA.env.GCAL_CLIENT_EMAIL,
      projectNumber: eA.env.GCAL_PROJECT_NUMBER,
      scopes: ["https://www.googleapis.com/auth/calendar"],
      whitelist: ["https://metagame.wtf", "https://*.metagame.wtf", "https://frontend-pr-*-mjhnbmqqna-uk.a.run.app"]
  }
}

Note:

• APP_ENV is not set (and should probably be NEXT_PUBLIC_APP_ENV)
• NEXT_PUBLIC_WEB3_STORAGE_KEY is set even though it gives the ability to create any delegation desired and could be used to erase everyone's profile images. (Also in the code where the actual delegation is created, a remove delegation is created for the space & uploads which gives a user the ability to remove others' files.) The code for creating the delegation is in the /src/api/ folder which creates an HTTP endpoint to be contacted. When the code is accessed, however, it's imported directly into the source and not contacted out of band with a fetch to the API endpoint.
• WEB3_STORAGE_PROOF isn't set either. Or, rather, I'm pretty sure it's set as NEXT_PUBLIC_WEB3_STORAGE_PROOF. Also pretty sure it also is not supposed to be exposed to the client.

What did you expect to happen?

I expected more secrets to be kept. 😼

How can we reproduce the problem (as minimally as possible)?

Umm, load the page & search the sources for something that appears in the above dump of the CONFIG object.

Is there anything else we need to know?

No response

Browser and operating system used (if applicable)

No response