fix: move Web3.Storage keys to server-side only#1791
Closed
Ai-chan-0411 wants to merge 1 commit intoMetaFam:developfrom
Closed
fix: move Web3.Storage keys to server-side only#1791Ai-chan-0411 wants to merge 1 commit intoMetaFam:developfrom
Ai-chan-0411 wants to merge 1 commit intoMetaFam:developfrom
Conversation
- Remove NEXT_PUBLIC_ prefix from WEB3_STORAGE_KEY and WEB3_STORAGE_PROOF to prevent them from being bundled into client-side JavaScript - Replace direct import of delegation logic with proper Next.js API route (POST /api/w3up-delegate) that runs server-side only - Update useW3upClient hook to fetch delegation via HTTP instead of direct function import - Remove web3StorageToken and web3StorageKey from client-accessible config - Keep web3StorageDID as NEXT_PUBLIC_ since DIDs are not secrets
Review or Edit in CodeSandboxOpen the branch in Web Editor • VS Code • Insiders |
|
@aoi-dev-0411 is attempting to deploy a commit to the MetaFamily Team on Vercel. A member of the Team first needs to authorize it. |
Author
|
Closing due to no review activity. Thank you for the opportunity! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1750
Problem
Web3.Storage access key (
NEXT_PUBLIC_WEB3_STORAGE_KEY) and proof (NEXT_PUBLIC_WEB3_STORAGE_PROOF) are exposed to the client because they use theNEXT_PUBLIC_prefix. This means the private signing key is visible in the browser's source code.Solution
NEXT_PUBLIC_prefix fromWEB3_STORAGE_KEY,WEB3_STORAGE_TOKEN, andWEB3_STORAGE_PROOFso they are only available server-sidePOST /api/w3up-delegate) that handles delegation server-side and returns a serialized delegation to the clientuseW3upClienthook to fetch the delegation via HTTP request instead of directly importing server-side codeNEXT_PUBLIC_WEB3_STORAGE_DIDas public since DIDs are not secretsMigration
After merging, update your
.envfile:/attempt 1750