docusaurus-plugin-remote-content icon indicating copy to clipboard operation
docusaurus-plugin-remote-content copied to clipboard
verified publisher icon rdilweb

Setting Authorization header causes secrets to be leaked in complied JS

Open motionsuggests opened this issue 1 year ago • 1 comments

Issue

My site pulls markdown files from multiple repos with some requiring Authorization. I'm adding Authorization headers to the requestconfig that gets passed to Axios. I'm using cli-sync with noRuntimeDownloads: true.

The problem is that because this is added to the docusaurus.config.js it ends up in the compiled main.js.

 requestConfig: {
    timeout: 60000,
      headers: {
        "Accept": "application/vnd.github.raw+json",
        "Authorization": `Bearer ${process.env.GITHUB_TOKEN}`,  // The value of GITHUB_TOKEN is preset in complied JS
      },
  }

Temporary Solution

The temporary solution I used was to reset the GITHUB_TOKEN to be empty after files are pulled but before build and deploy. I also stopped using the Docusaurus deploy and replaced it with the npm package gh-pages to deploy.

motionsuggests avatar Jul 15 '24 20:07 motionsuggests

Thanks for sharing this find @motionsuggests. It makes sense that webpack would replace these values, but this behavior should be explicitly called out in the README.

eric-gonzalez-tfs avatar Nov 19 '24 18:11 eric-gonzalez-tfs