Exposed Google Cloud API Key

doxas / twigl

twigl.app is an online editor for One tweet shader, with gif generator and sound shader, and broadcast live coding.

https://twigl.app/

MIT License

803 stars 50 forks source link

Exposed Google Cloud API Key #9

Closed saibotk closed 4 years ago

saibotk commented 4 years ago

Hello,

I found your project through https://shhgit.darkport.co.uk/ because it seems like you exposed your Google Cloud API Key in https://github.com/doxas/twigl/blob/master/src/script.js#L87

Here's how to safely remove it https://help.github.com/en/github/authenticating-to-github/removing-sensitive-data-from-a-repository in case it's critical.

doxas commented 4 years ago

Hi @saibotk

Thank you for the reminder. For the following reasons, this project includes the API Key in the public domain.

In the case of Firebase, in any case, the API Key is in the same state as being publicly available
→ Reference javascript \frx346- Is it safe to expose Firebase apiKey to the public? \frx346- Stack Overflow
We have configured the API to limit the domains that can use it.

saibotk commented 4 years ago

Then it's all fine, I just wanted to let you know, in the case you did not secure the key properly. Then I'm going to close this I guess, stay safe ;)