Closed landed1 closed 7 years ago
that's running server side, NO user will have access to read the key.
at this point, using the mandrill key is like using a database password. If your server is comprised, you have a bigger problem.
I didn't design this library to be used in the browser; my original intent was to enable simple interaction with the mandrill api via node.js.
I'm not aware of any way to access the mandrill API via the browser without exposing your credentials to your user.
The only thing I can think to suggest right now is setting up a service on your own server to proxy the request in order to validate it and add your mandrill credentials, before passing it on to mandrill.
I used the following work around for a contact us form. It assumes that you only want to send emails to a single email address, say contact@example.com for example.
If my understanding is correct, the worst a malicious user could do with this is spam your contact email address from your mandrill account. But if they know your email address they can do that anyway.
This wrapper doesn't at second glance look like it protects the users key and so the emailer can be used by someone else. Or am i missing something. But it looks cool thanks.