-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Externalizing required frontend config to a dot env file #56
Externalizing required frontend config to a dot env file #56
Conversation
Hello @endersonmaia and @guidanoli , what do you think? |
Great! |
@claudioantonio I think it's better now, let's just keep a look at #51 to improve how we handle this sensitive information |
@endersonmaia (cc. @guidanoli ) I just checked that Cartesiscan uses public env vars for API keys on the frontend. Check here. It seems that the way to protect from malicious actors to get it and submit lots of calls to consume the api quota is by whitelisting the source of the call on the provider (Alchemy or Infura). See wagmi forum here. I will talk with Bruno Menezes about it. 😉 |
@claudioantonio, I think that is an improved way to quickly cancel and replace keys when necessary if that is the "mitigation" accepted. We are also using that form in the Staking app here. Thanks for highlighting that. I'll see if make sense to move to an environment variable, but this one in my view is less important than the node-provider for money reasons but is good to be able to switch the value when needed quickly. When I looked into the infura options, it gives a few possibilities like:
The allowlist, as mentioned in one of the comments, may cause a bit of extra work depending if you use a cloud provider like Vercel. When working on a PR branch, you have its deployed counterpart since it gets random domains assigned to it, and you would probably hit 401s. Not sure if that is the case for BugLess. |
Thanks a lot for your contribution @brunomenezes ! |
I believe this needs a rebase |
Done @guidanoli ! |
@claudioantonio I think we should set a default value for the WalletConnect project ID environment variable, so that people can build the front-end without having ownership of the real value. If I run
From the Staking app example @brunomenezes gave, it sets the project ID to If I set this value in the |
Done @guidanoli ! 😉 |
This PR contributes to #29