From ef86bf5cba65af3dc3db10944cec8d40d848daaa Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Fri, 13 Apr 2018 09:33:55 +0200
Subject: [PATCH] Use API key instead of clientSecret

As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
---
 app.js                    | 2 +-
 lib/config/default.js     | 1 +
 lib/config/environment.js | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/app.js b/app.js
index fcf905d..63b880c 100644
--- a/app.js
+++ b/app.js
@@ -33,7 +33,7 @@ var data = {
   urlpath: config.urlPath,
   debug: config.debug,
   version: config.version,
-  GOOGLE_API_KEY: config.google.clientSecret,
+  GOOGLE_API_KEY: config.google.apiKey,
   GOOGLE_CLIENT_ID: config.google.clientID,
   DROPBOX_APP_KEY: config.dropbox.appKey,
   allowedUploadMimeTypes: config.allowedUploadMimeTypes
diff --git a/lib/config/default.js b/lib/config/default.js
index 68849d3..db0c036 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -104,6 +104,7 @@ module.exports = {
     appKey: undefined
   },
   google: {
+    apiKey: undefined,
     clientID: undefined,
     clientSecret: undefined
   },
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 3dde478..8e1e517 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -74,6 +74,7 @@ module.exports = {
     appKey: process.env.HMD_DROPBOX_APPKEY
   },
   google: {
+    apiKey: process.env.HMD_GOOGLE_APIKEY,
     clientID: process.env.HMD_GOOGLE_CLIENTID,
     clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET
   },