From 488adc7e276700ca7ee5db00a67f4f22ae15eedf Mon Sep 17 00:00:00 2001
From: Rob Brackett <rob@robbrackett.com>
Date: Thu, 28 Nov 2024 15:35:59 -0800
Subject: [PATCH] Drop support for application keys (#127)

Application keys are not actually needed for submitting metrics or distributions (or events or logs, in case we ever wind up supporting that), so specifying them risks exposing a potentially more powerful credential for no real reason. When support for them was originally added, this library used a single, globally configured Datadog client, so it made sense to allow configuring it with an app key in case a developer using this library *also* wanted to use that global API client for other things. That's no longer the case (the client is not accessible from outside this library), so there's no reason to continue to support this, which might encourage dangerous use.
---
 README.md        | 14 ++++++++------
 lib/loggers.js   |  5 +++--
 lib/reporters.js | 17 ++++++++++++++---
 3 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 1dec5e0..5cf67bb 100644
--- a/README.md
+++ b/README.md
@@ -129,12 +129,13 @@ Where `options` is an object and can contain the following:
       is required to send metrics.
     * Make sure not to confuse this with your _application_ key! For more
       details, see: https://docs.datadoghq.com/account_management/api-app-keys/
-* `appKey`: Sets the Datadog application key. (optional)
-    * It's usually best to keep this in an environment variable. Datadog-metrics
-      looks for the application key in `DATADOG_APP_KEY` by default.
-    * This is different from the API key (see above), which is required. For
-      more about the different between API and application keys, see:
-      https://docs.datadoghq.com/account_management/api-app-keys/
+* `appKey`: ⚠️ Deprecated. This does nothing and will be removed in an upcoming
+    release.
+
+    Sets the Datadog _application_ key. This is not actually needed for sending
+    metrics or distributions, and you probably shouldn’t set it. Do not confuse
+    this with your _API_ key! For more, see:
+    https://docs.datadoghq.com/account_management/api-app-keys/
 * `defaultTags`: Default tags used for all metric reporting. (optional)
     * Set tags that are common to all metrics.
 * `onError`: A function to call when there are asynchronous errors seding
@@ -346,6 +347,7 @@ Contributions are always welcome! For more info on how to contribute or develop
 
     * Buffer metrics using `Map` instead of a plain object.
 
+    * Deprecated the `appKey` option. Application keys (as opposed to API keys) are not actually needed for sending metrics or distributions to the Datadog API. Including it in your configuration adds no benefits, but risks exposing a sensitive credential.
 
     [View diff](https://github.com/dbader/node-datadog-metrics/compare/v0.11.4...main)
 
diff --git a/lib/loggers.js b/lib/loggers.js
index a39b160..05e373b 100644
--- a/lib/loggers.js
+++ b/lib/loggers.js
@@ -40,7 +40,8 @@ const Distribution = require('./metrics').Distribution;
 /**
  * @typedef {object} BufferedMetricsLoggerOptions
  * @property {string} [apiKey] Datadog API key
- * @property {string} [appKey] Datadog APP key
+ * @property {string} [appKey] DEPRECATED: App keys aren't actually used for
+ *           metrics and are no longer supported.
  * @property {string} [host] Default host for all reported metrics
  * @property {string} [prefix] Default key prefix for all metrics
  * @property {string} [site] Sets the Datadog "site", or server where metrics
@@ -98,7 +99,7 @@ class BufferedMetricsLogger {
         /** @private */
         this.aggregator = opts.aggregator || new Aggregator(opts.defaultTags);
         /** @private @type {ReporterType} */
-        this.reporter = opts.reporter || new DatadogReporter(opts.apiKey, opts.appKey, opts.site);
+        this.reporter = opts.reporter || new DatadogReporter(opts.apiKey, opts.site);
         /** @private */
         this.host = opts.host;
         /** @private */
diff --git a/lib/reporters.js b/lib/reporters.js
index 20a0aef..1fecd0e 100644
--- a/lib/reporters.js
+++ b/lib/reporters.js
@@ -22,12 +22,24 @@ class DatadogReporter {
     /**
      * Create a reporter that sends metrics to Datadog's API.
      * @param {string} [apiKey]
-     * @param {string} [appKey]
+     * @param {string} [appKey] DEPRECATED! This argument does nothing.
      * @param {string} [site]
      */
     constructor(apiKey, appKey, site) {
+        if (appKey) {
+            if (!site && /(datadoghq|ddog-gov)\./.test(appKey)) {
+                site = appKey;
+                appKey = null;
+            } else {
+                logDeprecation(
+                    'The `appKey` option is no longer supported since it is ' +
+                    'not used for submitting metrics, distributions, events, ' +
+                    'or logs.'
+                );
+            }
+        }
+
         apiKey = apiKey || process.env.DATADOG_API_KEY;
-        appKey = appKey || process.env.DATADOG_APP_KEY;
         this.site = site || process.env.DATADOG_SITE || process.env.DATADOG_API_HOST;
 
         if (!apiKey) {
@@ -37,7 +49,6 @@ class DatadogReporter {
         const configuration = datadogApiClient.client.createConfiguration({
             authMethods: {
                 apiKeyAuth: apiKey,
-                appKeyAuth: appKey
             }
         });
         if (this.site) {