What is a solution for saving secret keys?

[samuelterra22]

No description provided.

[janesser]

nuxt-env/lib/plugin.js

Line 20 in a5b76d9

client (ctx, inject) {

What about having a filter for a certain prefix or something at that codespot?

@samtgarson will you have time to enhance nuxt-env in this direction?

[samtgarson]

Hey @samuelterra22 @janesser I'm not sure what this issue is asking, could you give a bit more detail?

[janesser]

@samtgarson it's about env vars you don't want to expose to the browser context but to the SSR context. at least in my case.

[samtgarson]

Working on a PR for this, but in the meantime you can just use process.env which is populated server side but not client side.

[samuelterra22]

Complementing what @janesser said, when the build command is executed, all keys / values are in the code. If you open a .js file through the browser, all .env information will be there, which is bad when I have sensitive information being used.
One solution was to use the config package.

[janesser]

@samuelterra22 i believe server.js isn't exposed to the browser, but that of course requires double-checking.

[samtgarson]

@samuelterra22 thanks for the feedback.

Firstly, it states at the top of the readme (with a ⚠️) that currently this library is not currently safe to use with secrets, as everything is exposed to the browser anyway.

Having said that, I am working on a PR which will allow you to label keys as secret. Could you let me know which files you're seeing your secrets in, so I can make sure this PR doesn't continue to expose secrets? Thanks!

[robsontenorio]

Any update?

[samtgarson]

Released in 0.1.0 🚀