Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting Authorization header causes secrets to be leaked in complied JS #79

Open
motionsuggests opened this issue Jul 15, 2024 · 1 comment
Open

Setting Authorization header causes secrets to be leaked in complied JS #79

motionsuggests opened this issue Jul 15, 2024 · 1 comment

Comments

@motionsuggests
Copy link
Contributor

Issue

My site pulls markdown files from multiple repos with some requiring Authorization. I'm adding Authorization headers to the
requestconfig that gets passed to Axios. I'm using cli-sync with noRuntimeDownloads: true.

The problem is that because this is added to the docusaurus.config.js it ends up in the compiled main.js.

 requestConfig: {
    timeout: 60000,
      headers: {
        "Accept": "application/vnd.github.raw+json",
        "Authorization": `Bearer ${process.env.GITHUB_TOKEN}`,  // The value of GITHUB_TOKEN is preset in complied JS
      },
  }

Temporary Solution

The temporary solution I used was to reset the GITHUB_TOKEN to be empty after files are pulled but before build and deploy. I also stopped using the Docusaurus deploy and replaced it with the npm package gh-pages to deploy.
@eric-gonzalez-tfs
Copy link

Thanks for sharing this find @motionsuggests. It makes sense that webpack would replace these values, but this behavior should be explicitly called out in the README.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@motionsuggests @eric-gonzalez-tfs