depau/HackMD
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Use API key instead of clientSecret

Browse source 
As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2018-04-13 09:33:55 +02:00
parent f23f403bcb
commit ef86bf5cba
No known key found for this signature in database
GPG key ID: 1F05CC3635CDDFFD
3 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app.js
View file

@ -33,7 +33,7 @@ var data = {
urlpath: config.urlPath,
debug: config.debug,
version: config.version,
GOOGLE_API_KEY: config.google.clientSecret,
GOOGLE_API_KEY: config.google.apiKey,
GOOGLE_CLIENT_ID: config.google.clientID,
DROPBOX_APP_KEY: config.dropbox.appKey,
allowedUploadMimeTypes: config.allowedUploadMimeTypes

1
lib/config/default.js
View file

@ -104,6 +104,7 @@ module.exports = {
appKey: undefined
},
google: {
apiKey: undefined,
clientID: undefined,
clientSecret: undefined
},

1
lib/config/environment.js
View file

@ -74,6 +74,7 @@ module.exports = {
appKey: process.env.HMD_DROPBOX_APPKEY
},
google: {
apiKey: process.env.HMD_GOOGLE_APIKEY,
clientID: process.env.HMD_GOOGLE_CLIENTID,
clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET
},