Sorry that I don’t see the point here.
What you’re doing here is just combine the proxy part and the request part together using next js
But the main issue is about the authentication method itself (aka api key) not the disclosure of it.
Google map api for example also issue api keys for frontend maps. And the api key is also well expose to the internet. But google limited the domains of request origin. Thus I cannot steal your key and put it on my site.
If you want to track user access, why don’t issue a jwt to the user(or session etc)? Why api key at the first place?
Even you secure your api key, user can still call your api unauthorised if you don’t take any security measures.
Hey thanks for commenting!
I think you are overthinking this a bit, this is just meant to help people do what the title says.
Let's say I am learning to code and I created a weather app and I got key to use an API. Do I "issue a jwt to the user to track user access and usage"? I don't think I know how to do that yet.
Is hiding the API key a perfect and infallible solution?
Of course not, but it's better than just having my key there for everyone to see.
Totally agree with this as a beginner.
A friend once built a YouTube clone with react and because the api key is exposed, someone else went ahead and started using it which later result in some unexpected breakdown of the clone.
I know what you’re trying to solve. Since not all public api except you call directly from the frontend, the api key is a sensitive thing you don’t want to expose(like AWS key)
But what sounds weird is both the situation and the solution. NextJs is a React framework that built for server side rendering.
If you’re not a SSR and react developer, using NextJs will create more problems than it solve.
If you’re React/NextJs developer, I still feel weird since NextJs already a backend server that render webpage and serve to the user
What I feel about this article: You don’t wanna build a proxy server? Okay, you can use NextJs(but it’s also a server)!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Sorry that I don’t see the point here.
What you’re doing here is just combine the proxy part and the request part together using next js
But the main issue is about the authentication method itself (aka api key) not the disclosure of it.
Google map api for example also issue api keys for frontend maps. And the api key is also well expose to the internet. But google limited the domains of request origin. Thus I cannot steal your key and put it on my site.
If you want to track user access, why don’t issue a jwt to the user(or session etc)? Why api key at the first place?
Even you secure your api key, user can still call your api unauthorised if you don’t take any security measures.
Hey thanks for commenting!
I think you are overthinking this a bit, this is just meant to help people do what the title says.
Let's say I am learning to code and I created a weather app and I got key to use an API. Do I "issue a jwt to the user to track user access and usage"? I don't think I know how to do that yet.
Is hiding the API key a perfect and infallible solution?
Of course not, but it's better than just having my key there for everyone to see.
Totally agree with this as a beginner.
A friend once built a YouTube clone with react and because the api key is exposed, someone else went ahead and started using it which later result in some unexpected breakdown of the clone.
This is really helpful.
Thanks.
I know what you’re trying to solve. Since not all public api except you call directly from the frontend, the api key is a sensitive thing you don’t want to expose(like AWS key)
But what sounds weird is both the situation and the solution. NextJs is a React framework that built for server side rendering.
If you’re not a SSR and react developer, using NextJs will create more problems than it solve.
If you’re React/NextJs developer, I still feel weird since NextJs already a backend server that render webpage and serve to the user
What I feel about this article: You don’t wanna build a proxy server? Okay, you can use NextJs(but it’s also a server)!