Use API key instead of clientSecret

As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2018-04-13 09:33:55 +02:00
parent f23f403bcb
commit ef86bf5cba
No known key found for this signature in database
GPG key ID: 1F05CC3635CDDFFD
3 changed files with 3 additions and 1 deletions

2
app.js
View file

@ -33,7 +33,7 @@ var data = {
urlpath: config.urlPath,
debug: config.debug,
version: config.version,
GOOGLE_API_KEY: config.google.clientSecret,
GOOGLE_API_KEY: config.google.apiKey,
GOOGLE_CLIENT_ID: config.google.clientID,
DROPBOX_APP_KEY: config.dropbox.appKey,
allowedUploadMimeTypes: config.allowedUploadMimeTypes

View file

@ -104,6 +104,7 @@ module.exports = {
appKey: undefined
},
google: {
apiKey: undefined,
clientID: undefined,
clientSecret: undefined
},

View file

@ -74,6 +74,7 @@ module.exports = {
appKey: process.env.HMD_DROPBOX_APPKEY
},
google: {
apiKey: process.env.HMD_GOOGLE_APIKEY,
clientID: process.env.HMD_GOOGLE_CLIENTID,
clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET
},