Secrets support #1492
Comments
|
There's an ugly workaround for frontend code - put them into localstorage of preview frame. |
|
And you can copy them into cookie to access them from node :) |
@mwisnicki Do you have some sample node code for this? What you're proposing is extremely unusual... accessing browser LocalStorage from node.js I'm unable to access LocalStorage from node as expected. |
|
Has anyone made a secrets example in SB? Like a way to have a public sandbox that uses database passwords safely? I know this is not supported, @d3lm should we expect this in 2022, or should we workaround it now? Has anyone made an example of a Cookie based approach to storing secrets locally in a not to inconvenient way, one that shares the secret with the WC Node.js? Also happy one year anniversary for this issue. Codesandbox knocked this one off the park IMO, that was one of the few things I didn't complain about when I was using them: https://codesandbox.io/docs/secrets (They didn't even support Vite in sandboxes until I bugged them about it a few months ago) |
|
Unfortunately cookies seem to not work in StackBlitz so as an alternative I'm passing secrets explicitly to an api endpoint and then reload the page: https://stackblitz.com/edit/node-secrets-example-localstorage?file=index.js |
Wow, that is not what I would have done. My idea was to store the secrets in local storage and then pass them to the server with websockets or in url parameters in a fetch request. Your idea is better, somehow... I have a strong feeling it can work... We just need to whitelist what cookies we allow and specify where to expect them from... Standby, Sandbox incoming |
|
You can also override fetch to always pass secrets in headers. Might be easier that way. |
|
Actually I think the cleanest solution would be something that works similar to login pages:
|
|
https://stackblitz.com/edit/secrets-demo I had a million ideas, only three work well enough right now.
These do not work:
For my uses, an ESM module that handles this would work fine. I always use Vite, so a vite plugin that stalls bootup until it receives secrets would be fine for me. Deleting secrets may need a cache clear. I'd also like the solution to work on incognito mode... which restricts cookies and serviceWorkers... but sessionstorage and localstorage seem to work fine. localstorage is sometimes unavailable for dumb reasons, like if safari is running in instagram. Port based ideas or ones that run on a detached spawn have an issue of, how do we communicate the secret while maintaining Vavite/Vite HMR, when we don't have IPC. We could save them to a file like The best solution would be
Update from Discord's sylwiavargas
Not sure if this provides cross device sync... Developing |
|
Could an integration with doppler work for secrets management across sb? https://www.doppler.com/integrations |
StackBlitz has no such thing as a secure side and a public side. This makes Runkit, Code spaces, codesandbox or Kubernetes style secrets mathematically impossible. There are two workarounds:
|
|
https://vitejs.dev/guide/api-plugin.html#client-server-communication This is a new solution that could be really neat for projects that run vite. The idea is to fetch localStorage keys beginning with |
|
If you set your browser to forget site history... this might work. It's probably better than storing secrets in your sandbox. For secrets longer than 16 characters... it will take a while. |
|
Popping on in to say I'm building a demo for a conference that uses the OpenAI API. I'd like for conference attendees to be able to use the project, but it currently requires setting env vars. Having a way to configure and inject env vars into a StackBlitz project without sharing them would be a big win for this use case. The feature would be a secret store that StackBlitz manages for a project per account instead of per project. When starting the project for the first time you'd be prompted to hydrate the secrets with your own values. For some inspiration, Autocode has a decent approach to this: https://autocode.com |
Is your feature request related to a problem? Please describe.
I'd like to be able to specify API secrets in a StackBlitz project without sharing them publicly. I'm fine with the code being shared publicly (because the repository itself is open-source), but I don't want to have certain environment variables (e.g. API keys, secret tokens) shared publicly.
Describe the solution you'd like
I'd like to be able to specify secrets in a project's settings (that are only accessible via
process.envwhen I'm logged in). Essentially, I just want StackBlitz to have CodeSandbox's existing secrets feature.Describe alternatives you've considered
I could (if it's possible) create a private StackBlitz project and then just add the environment variables in a
.env.localfile.Additional context
I'm trying to get Tutorbook working as a StackBlitz project so that I can edit on the go (via any web browser) wherever I am.
The text was updated successfully, but these errors were encountered: