Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarification request on Exposure of Nuxt Config with 'credentials' #341

Open
nicokempe opened this issue Apr 2, 2024 · 0 comments
Open

Clarification request on Exposure of Nuxt Config with 'credentials' #341

nicokempe opened this issue Apr 2, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@nicokempe
Copy link

Enviroment

  • Operating System: Darwin
  • Node Version: v20.5.0
  • Nuxt Version: 3.11.1
  • CLI Version: 3.11.1
  • Package Manager: pnpm@8.14.1
  • User Config: devtools, modules, supabase
  • Runtime Modules: @nuxtjs/supabase@1.2.0

Reproduction Link

https://github.com/nuxt-modules/supabase/tree/main/demo

Steps to reproduce

  1. Set up a new Nuxt 3 project with the Supabase module.
  2. Configure the project to use environment variables for Supabase tokens and URLs.
  3. Observe that these tokens and URLs are exposed in plain text in the window.NUXT.config script block in the web devools.
  4. Verify this behavior by accessing Supabase with the "exposed" credentials from the Demo page of the Supabase module.

What is Expected?

Sensitive information like Supabase tokens and URLs should not be exposed in the client-side code. These details should remain secure and confidential, especially when the application is built for production. -> I am no security expert so I don't know if this is possibly just the functionality and it should work like this? It feels wrong to be able to access the Supabase data of others and creating users or logging in with them on my own page. I don't know how much more is possible (creating tables or gathering user data) and if this is even possible with this key or if the service key is needed for such things.

What is actually happening?

The entire Nuxt configuration, including sensitive information such as Supabase tokens and URLs, is being exposed in the window.NUXT.config script block. This exposure presents a significant security risk, as it allows anyone with knowledge of browser DevTools to access and potentially misuse these credentials. As I have already said I am not sure if this key can be used to do really "bad" things but I would not want others to be able to register with just an email & password if I only provide OAuth using GitHub on my page for example like on the demo page. 😄

image

I was able to access some tokens using the exposed key. But I am not sure how sensitive they actually are or if those are public keys (they don't look as if they are but I don't know, as I have already told I am not a Security Expert, just an developer that saw something that looked like a security problem, that's why I am reporting / asking this):
image
@nicokempe nicokempe added the bug Something isn't working label Apr 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nicokempe