Drop support for application keys #127
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mr0grog
force-pushed
the
drop-dangerous-unused-credentials
branch
from
bc9290e to
04b0243
Compare
|
Rebased to merge cleanly on top of |
Mr0grog
force-pushed
the
drop-dangerous-unused-credentials
branch
from
0c3938f to
787aee4
Compare
Application keys are not actually needed for submitting metrics or distributions (or events or logs, in case we ever wind up supporting that), so specifying them risks exposing a potentially more powerful credential for no real reason. When support for them was originally added, this library used a single, globally configured Datadog client, so it made sense to allow configuring it with an app key in case a developer using this library *also* wanted to use that global API client for other things. That's no longer the case (the client is not accessible from outside this library), so there's no reason to continue to support this, which might encourage dangerous use.
Mr0grog
force-pushed
the
drop-dangerous-unused-credentials
branch
from
787aee4 to
f1d9183
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Every so often folks run into trouble by mixing up API and application keys. Back in #118, I added more documentation and error messaging to help clarify potential issues, but I also noticed that the application keys don’t actually seem to be needed.
I did some testing and it turns out they definitely are not needed for submitting metrics, distributions, events, or logs (we don’t do the last two, but there is an open issue about supporting events). As far as I can tell, there’s no way for Datadog users to tell what application key something was submitted with, so they really don’t seem to have any value at all for our current use cases. Given the narrow goals of this library, we probably don’t ever want to support more complicated stuff that we would need application keys for, either.
Support was originally added by @gert-fresh back in 2015/2016 in PR #7. There’s not much description there, but I think it was because this library used to configure a single, globally available Datadog client, so a developer using this library might also want to use that client to do other things requiring an application key. That’s no longer how things work here today (each reporter instance has its own client, and those clients are not available to user code). Assuming I understand that correctly, the original use case is obsolete.
Total side note: I haven’t touched this package in a while, but a few recent issues brought my attention back to it, so I thought I’d do some work on old issues and ideas that have been kicking around here. I figure I’ll work on a bunch of updates that might deprecate some things (like this, or #125) in the next week or so, and then cut another release at the start of next year that actually removes all the deprecations and cleans things out. Maybe we require a more recent version of Node.js then, too, so we can update some of our dev tooling (much of which has moved on to requiring Node.js 18+, which we only require 12+ here).