Closed guaiamum closed 6 months ago
Hello, thanks for submitting this!
Regarding the security issue: The project ID and token are meant to be public. They only grant you the ability to render the project whose website you are already looking at.
But moving configuration into data files is nice and common practice!
This is something I'm wondering about; because if the project IDs are public, then does that mean that anyone with the project ID can open the plasmic project if the owner doesn't have Auth set up for their project?
Only if you have share by link enabled! You should be able to set your projects to be private.
I was about to commit code from the auto generated changes in
create-plasmic-app
script and noticed the secrets about to go to repo, I'm not sure how that really impacts security but have a hunch this info shouldn't be there...There's no easy way I found to revoke previous api token in studio as well, so I'm guessing safe than sorry?
Since nextJS supports dotenv files natively and
.env.local
is auto ignored in git tracking, thought of adding this, wdyt?