johnkiely1
commented
1 year ago Hi @Miljoen
We actually have an existing item on our product roadmap to use a separate API key for source map uploads. This would mean that the upload API key could be kept private, preventing people from uploading modified source maps using the public API key.
I don't have a firm ETA for this but I've flagged your interest with our product team and we'll be sure to keep you posted with any updates.
Description
Is your feature request related to a problem?
Yes, when using Bugsnag on the client side, the API key is public. From this issue: "They would in theory be able to send fake reports / source maps to your dashboard ..." The fake reports are not my concern here, the fake source maps on the other hand are.
Describe the solution you'd like Keep the public API key, but avoid any user being able to upload source maps. In other words, create a separate API key for uploading source maps specifically (this one can be kept secret).
Additional context We automate uploading source maps on tag releases, and we must be able to rely on correct source maps for our released tag. When we add Bugsnag to client side projects (TS), we must provide the API key to be able to upload bug reports. But this same key can be used to corrupt our source maps.
Additional remark: anyone could in theory upload anything, even malicious scripts.
The best way forward in my view is to limit the public bug reporting API key to what it is supposed to do, sending bug reports.