samtgarson
commented
6 years ago Hey @samuelterra22 @janesser I'm not sure what this issue is asking, could you give a bit more detail?
Closed samuelterra22 closed 5 years ago
samtgarson
commented
6 years ago Hey @samuelterra22 @janesser I'm not sure what this issue is asking, could you give a bit more detail?
janesser
commented
6 years ago @samtgarson it's about env vars you don't want to expose to the browser context but to the SSR context. at least in my case.
samtgarson
commented
6 years ago Working on a PR for this, but in the meantime you can just use process.env which is populated server side but not client side.
samuelterra22
commented
6 years ago Complementing what @janesser said, when the build command is executed, all keys / values are in the code. If you open a .js file through the browser, all .env information will be there, which is bad when I have sensitive information being used. One solution was to use the config package.
janesser
commented
6 years ago @samuelterra22 i believe server.js isn't exposed to the browser, but that of course requires double-checking.
samtgarson
commented
6 years ago @samuelterra22 thanks for the feedback.
Firstly, it states at the top of the readme (with a ⚠️) that currently this library is not currently safe to use with secrets, as everything is exposed to the browser anyway.
Having said that, I am working on a PR which will allow you to label keys as secret. Could you let me know which files you're seeing your secrets in, so I can make sure this PR doesn't continue to expose secrets? Thanks!
robsontenorio
commented
5 years ago Any update?
samtgarson
commented
5 years ago Released in 0.1.0 🚀
https://github.com/samtgarson/nuxt-env/blob/a5b76d935f48202f4ba1e252abf1c748ae762fe8/lib/plugin.js#L20
What about having a filter for a certain prefix or something at that codespot?
@samtgarson will you have time to enhance nuxt-env in this direction?