Exposing secret & key in javascript code?

woocommerce / woocommerce-rest-api-js-lib

New JavaScript library for WooCommerce REST API

https://www.npmjs.com/package/@woocommerce/woocommerce-rest-api

MIT License

273 stars 76 forks source link

Exposing secret & key in javascript code? #52

Open simplenotezy opened 4 years ago

simplenotezy commented 4 years ago

Most likely there something I misunderstand, but how can it be safe to expose the consumer secret and key in the code? People could inspect source code and retrieve it, no? Or what am I missing here..

luthv commented 4 years ago

Usually sensitive info are kept in environment variables, how to set these variables depends on where you deploy the code.

So your code might look like this: const options = { consumerKey: process.env.CONSUMER_KEY, ...etc }

simplenotezy commented 4 years ago

I see. However if you want any calls on frontend which are not processed by server side rendering, then I'll guess you'll be exposing your secret key?

_{Sent with GitHawk}

simplenotezy commented 4 years ago

I'm not talking about repository source code, I'm taking about browser source code by the way

_{Sent with GitHawk}

climba03003 commented 4 years ago

Browser-side source code is exposed to anyone who visit your website. You are hard to hide the key from those want to explore the code. The only things you can do is to limit the access right of the particular key pairs.

simplenotezy commented 4 years ago

Browser-side source code is exposed to anyone whole visit your website. You are hard to hide the key from those want to explore the code. The only things you can do is to limit the access right of the particular key pairs.

@climba03003 is this seriously standard procedure?

_{Sent with GitHawk}

climba03003 commented 4 years ago

If exposing the API Key Pairs is the only options in your scenario. Restricting the access right of the API Key is the only option. E.G.

Restrict the IP of the API Key can use
Give READ permission only

hicreate commented 4 years ago

Use middleware - setup a node.js server layer under the SPA that receives and proxies the API call, complete with key and secret. Or, setup a PHP proxy over the top of Woo that does the same, either way you need middleware. I thin use Auth0 on the front end to tokenize access to the middleware for sensitive data areas, and using jet on the node middleware can validate someone has signed in before completing an API call that writes data or does something sensitive on my woo database.

laygir commented 3 years ago

I am on the same page as @simplenotezy. At the same time I am struggling to understand if this library aims to support server side applications or client side.

It would have been really nice if it was possible to pass a jwt generated by wp to woo and be done with it.

That would make this lib really useful for frontend applications, no? I am thinking decoupled wp+woo on the backend and a separate frontend app which can place orders/checkout and provide basic customer operations through woo rest api.

climba03003 commented 3 years ago

The plugin is only a axios wrapper class. Since axios can run on both browser and node. This plugin can also achieve the same behavior. You can make your own version of axios wrapper for JWT as JWT is not the official way for Wordpress API connection.