search

coinbase / onchainkit

React components and TypeScript utilities to help you build top-tier onchain apps.
https://onchainkit.xyz
MIT License
424 stars 78 forks source link

API Key exposed by OnchainKit provider #749

Open richardrauser opened 2 days ago

richardrauser commented 2 days ago

Describe the bug and the steps to reproduce it

Follow the OnchainKit Getting Started guide: https://onchainkit.xyz/getting-started

This necessitates exposing a Coinbase API key in a client component, meaning any users of the web app implementing OnchainKit can access the key.

GitGuardian reports this as a critical security vulnerability.

Screenshot 2024-07-02 at 14 50 44

What's the expected behavior?

OnchainKit does not require an API key to be exposed to end users.

What version of the libraries are you using?

0.23.4

richardrauser commented 2 days ago

It also does not appear to be possible to revoke or rotate this API key.