don't put key auth data in public config.js

[tomByrer]

I think having config.js is a good idea, & should stay part of the git repo (eg not in .gitignore.

But correct me if I'm wrong, isn't the social login id & secret private information? So should they be in a separate file (eg secrets.js) & that file be added to .gitignore so people don't accidentally upload their secretes?

[langpavel]

Even better in environment variables or passed as command line arguments

[mchandleraz]

@langpavel in some instances, it's possible to see the arguments that were used when starting a process so environment vars aren't always the best answer. Not sure what's right here.

[koistya]

FYI, the config.js file is only used in server-side code, it might be a good idea to put something like this in it if (!process.env.BROWSER) { throw new Error(..); } just to make sure that it's not referenced in client-side code by accident. A PR with this feature is welcome!

And if you need to extract some data from this config for use in the client-side code, you can do it in server.js where you dehydrate application's state for re-use on the client.

[langpavel]

@koistya Good catch! I will prepare PR because I violate this myself.

[langpavel]

#633 Prevent config to be bundled in client

[tomByrer]

I think koistya's solution is a good extra layer of prevention.
I was thinking about separating the sensitive keys config from the remaining config to 2 separate files, & .gitignore that key file. This helps prevents transfer, especially when someone merges from their system back into this repo ;)

[ulani]

@tomByrer thank you very much for crating this issue! Unfortunately, we have close it due to inactivity. Feel free to re-open it or join our Discord channel for discussion.

NOTE: The main branch has been updated with React Starter Kit v2, using JAM-style architecture.