Open 190km opened 2 months ago
The plan to solve the bug involves renaming the environment variable NEXT_PUBLIC_API_KEY
to API_KEY
to ensure it is not exposed to the client-side. This change needs to be reflected in the code where the variable is used, in the environment configuration files, and in the Next.js configuration.
The bug is caused by the use of the NEXT_PUBLIC_API_KEY
environment variable, which is prefixed with NEXT_PUBLIC
. This prefix makes the variable accessible on the client-side, posing a security risk. The goal is to rename this variable to API_KEY
to ensure it is only accessible on the server-side.
Update the reference to the environment variable from process.env.NEXT_PUBLIC_API_KEY
to process.env.API_KEY
.
const openai = new OpenAI({
apiKey: process.env.API_KEY,
dangerouslyAllowBrowser: true,
});
Ensure that the new API_KEY
variable is defined in the .env.local
file if necessary. If the variable is defined in another environment file or directly in the deployment environment, update those configurations as well.
API_KEY=your_api_key_value_here
Add the new environment variable API_KEY
to the Next.js configuration to ensure it is available for server-side operations and build-time configurations.
/** @type {import('next').NextConfig} */
const nextConfig = {
env: {
API_KEY: process.env.API_KEY,
},
};
export default nextConfig;
NEXT_PUBLIC_API_KEY
in your environment configuration (e.g., .env.local
).process.env.NEXT_PUBLIC_API_KEY
.NEXT_PUBLIC_API_KEY
is exposed.Ticket title: Do not name the env variable NEXT_PUBLIC_API_KEY.
Ticket Description: When an env variable starts by NEXT_PUBLIC its accessible by the client, so remove the NEXT_PUBLIC and rename it by another name.
process.env.NEXT_PUBLIC_API_KEY
to process.env.API_KEY
in src/hooks/useTranslate.jsx
.API_KEY
variable is defined in the .env.local
file or other relevant environment files.API_KEY
to the Next.js configuration in next.config.mjs
.By following these steps, we ensure that the API key is not exposed to the client-side, enhancing the security of the application.
Click here to create a Pull Request with the proposed solution
Files used for this task:
When an env varible starts by NEXT_PUBLIC its accessible by the client, so remove the NEXT_PUBLIC and rename it by another name.
Thanks for bringing that to my noticed @190km
When an env varible starts by NEXT_PUBLIC its accessible by the client, so remove the NEXT_PUBLIC and rename it by another name.