search

birkir / gatsby-source-prismic-graphql

Gatsby source plugin for Prismic GraphQL
MIT License
137 stars 75 forks source link

Beta exposes access key when preview is turned off #104

Open scb-mchaines opened 4 years ago

scb-mchaines commented 4 years ago

On the latest beta release, it looks like there is some risk of publicly exposing access keys. Steps:

  1. npm install with the affected version "gatsby-source-prismic-graphql": "^3.4.0-beta.2"
  2. build with gatsby-source-prismic-graphl config indicating previews: false. Mine looks something like: 
    {
  resolve: 'gatsby-source-prismic-graphql',
    options: {
      repositoryName: 'my-repository',
      accessToken: 'secret-access-token',
      path: '/preview',
      previews: false,
      pages: [{ 
        type: 'Page',
        match: '/:uid',
        path: '/',
        component: require.resolve('./src/components/page.js'),
    }]
  }
}
  3. Serve the public directory, and check window.prismicGatsbyOptions.accessToken in the js console of the page. In my case, this exposes the access key.

Originally posted by @scb-mchaines in https://github.com/birkir/gatsby-source-prismic-graphql/issues/45#issuecomment-557228962

andyto commented 4 years ago

What the purpose of window.prismic and window.prismicGatsbyOptions in a production build without a preview?