From bc9290e884c0c2e6d57e7172c5df38318a30fb08 Mon Sep 17 00:00:00 2001
From: Rob Brackett <rob@robbrackett.com>
Date: Sun, 10 Nov 2024 17:49:17 -0800
Subject: [PATCH] Drop support for application keys

Application keys are not actually needed for submitting metrics or distributions (or events or logs, in case we ever wind up supporting that), so specifying them risks exposing a potentially more powerful credential for no real reason. When support for them was originally added, this library used a single, globally configured Datadog client, so it made sense to allow configuring it with an app key in case a developer using this library *also* wanted to use that global API client for other things. That's no longer the case (the client is not accessible from outside this library), so there's no reason to continue to support this, which might encourage dangerous use.
---
 README.md        | 27 +++++++++++++++++++++------
 lib/loggers.js   |  5 +++--
 lib/reporters.js | 17 ++++++++++++++---
 3 files changed, 38 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index cda10aa..e75a2b4 100644
--- a/README.md
+++ b/README.md
@@ -128,12 +128,13 @@ Where `options` is an object and can contain the following:
       is required to send metrics.
     * Make sure not to confuse this with your _application_ key! For more
       details, see: https://docs.datadoghq.com/account_management/api-app-keys/
-* `appKey`: Sets the Datadog application key. (optional)
-    * It's usually best to keep this in an environment variable. Datadog-metrics
-      looks for the application key in `DATADOG_APP_KEY` by default.
-    * This is different from the API key (see above), which is required. For
-      more about the different between API and application keys, see:
-      https://docs.datadoghq.com/account_management/api-app-keys/
+* `appKey`: ⚠️ Deprecated. This does nothing and will be removed in an upcoming
+    release.
+
+    Sets the Datadog _application_ key. This is not actually needed for sending
+    metrics or distributions, and you probably shouldn’t set it. Do not confuse
+    this with your _API_ key! For more, see:
+    https://docs.datadoghq.com/account_management/api-app-keys/
 * `defaultTags`: Default tags used for all metric reporting. (optional)
     * Set tags that are common to all metrics.
 * `onError`: A function to call when there are asynchronous errors seding
@@ -307,8 +308,22 @@ npm test
 
 * In Development:
 
+    **Breaking Changes:**
+
+    TBD
+
+    **New Features:**
+
     TBD
 
+    **Bug Fixes:**
+
+    TBD
+
+    **Maintenance:**
+
+    * Deprecated the `appKey` option. Application keys (as opposed to API keys) are not actually needed for sending metrics or distributions to the Datadog API. Including it in your configuration adds not benefits, but risks exposing a sensitive credential.
+
     [View diff](https://github.com/dbader/node-datadog-metrics/compare/v0.11.4...main)
 
 * 0.11.4 (2024-11-10)
diff --git a/lib/loggers.js b/lib/loggers.js
index 1c6c8f7..8448a46 100644
--- a/lib/loggers.js
+++ b/lib/loggers.js
@@ -31,7 +31,8 @@ const Distribution = require('./metrics').Distribution;
 /**
  * @typedef {object} BufferedMetricsLoggerOptions
  * @property {string} [apiKey] Datadog API key
- * @property {string} [appKey] Datadog APP key
+ * @property {string} [appKey] DEPRECATED: App keys aren't actually used for
+ *           metrics and are no longer supported.
  * @property {string} [host] Default host for all reported metrics
  * @property {string} [prefix] Default key prefix for all metrics
  * @property {string} [site] Sets the Datadog "site", or server where metrics
@@ -87,7 +88,7 @@ class BufferedMetricsLogger {
         /** @private */
         this.aggregator = opts.aggregator || new Aggregator(opts.defaultTags);
         /** @private */
-        this.reporter = opts.reporter || new DatadogReporter(opts.apiKey, opts.appKey, opts.site);
+        this.reporter = opts.reporter || new DatadogReporter(opts.apiKey, opts.site);
         /** @private */
         this.host = opts.host;
         /** @private */
diff --git a/lib/reporters.js b/lib/reporters.js
index 8d6b195..9058c4c 100644
--- a/lib/reporters.js
+++ b/lib/reporters.js
@@ -25,12 +25,24 @@ class DatadogReporter {
     /**
      * Create a reporter that sends metrics to Datadog's API.
      * @param {string} [apiKey]
-     * @param {string} [appKey]
+     * @param {string} [appKey] DEPRECATED! This argument does nothing.
      * @param {string} [site]
      */
     constructor(apiKey, appKey, site) {
+        if (appKey) {
+            if (!site && /(datadoghq|ddog-gov)\./.test(appKey)) {
+                site = appKey;
+                appKey = null;
+            } else {
+                logDeprecation(
+                    'The `appKey` option is no longer supported since it is ' +
+                    'not used for submitting metrics, distributions, events, ' +
+                    'or logs.'
+                );
+            }
+        }
+
         apiKey = apiKey || process.env.DATADOG_API_KEY;
-        appKey = appKey || process.env.DATADOG_APP_KEY;
         this.site = site || process.env.DATADOG_API_HOST;
 
         if (!apiKey) {
@@ -40,7 +52,6 @@ class DatadogReporter {
         const configuration = datadogApiClient.client.createConfiguration({
             authMethods: {
                 apiKeyAuth: apiKey,
-                appKeyAuth: appKey
             }
         });
         if (this.site) {