N
Nuxt2d ago
Samuelreichoer

Hide secret token in plugin install options

How do I properly hide a secret token used in plugin options?
11 Replies
kapa.ai
kapa.ai2d ago
Hi @Samuelreichoer. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave: ---------------------- To properly hide a secret token used in plugin options in Nuxt, you should use the runtimeConfig feature. This allows you to securely manage sensitive information without exposing it in client-side code. Here's how to do it: 1. First, define your secret token in the runtimeConfig section of your nuxt.config.ts file: 
export default defineNuxtConfig({
  runtimeConfig: {
    // Server-side only secrets
    apiSecret: 'default-secret-value',
    // Keys within public are also exposed client-side
    public: {
      apiBase: '/api'
    }
  }
})
export default defineNuxtConfig({
  runtimeConfig: {
    // Server-side only secrets
    apiSecret: 'default-secret-value',
    // Keys within public are also exposed client-side
    public: {
      apiBase: '/api'
    }
  }
})
2. In production, override this value using an environment variable prefixed with NUXT_: 
NUXT_API_SECRET=your-actual-secret-token
NUXT_API_SECRET=your-actual-secret-token
You can set this in your .env file during development, but in production, you should use your platform's environment variable system. 3. Access the token in your server-side code using the useRuntimeConfig() composable: 
// In a server plugin or API route
const config = useRuntimeConfig()
const secretToken = config.apiSecret
// In a server plugin or API route
const config = useRuntimeConfig()
const secretToken = config.apiSecret
For server routes, it's recommended to pass the event to get runtime config values that are properly overwritten by environment variables: 
export default defineEventHandler(async (event) => {
  const config = useRuntimeConfig(event)
  // Use config.apiSecret here
})
export default defineEventHandler(async (event) => {
  const config = useRuntimeConfig(event)
  // Use config.apiSecret here
})
Important notes: - Only put secrets in the root of runtimeConfig, not in the public property, as anything in public will be exposed to the client - If you need to use a configuration value on both server and client, make sure it's not sensitive and place it in runtimeConfig.public Nuxt Configuration provides more details about managing environment variables and private tokens. Runtime Config documentation explains how to use environment variables with the .env file during development. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
kapa.ai
kapa.ai2d ago
<@1065266379382587422> Kapa.ai is still learning and improving, please let me know how I did by reacting below.
Samuelreichoer
SamuelreichoerOP2d ago
@kapa.ai I mean how do I do it with a custom plugin that I maintain craftcms: { baseUrl: process.env.NUXT_PRIMARY_SITE_URL, authToken: 'Bearer iIkWn1cMYA181On591yqdhJluAzI-r1c', debug: false,
kapa.ai
kapa.ai2d ago
Let me check the knowledge base for you again. One moment! :books: ---------------------- I understand you're looking to properly hide the authentication token in your custom CraftCMS plugin configuration. Based on your previous question and this follow-up, here's how to secure that token in a Nuxt application: Securing Your CraftCMS Plugin Token Instead of hardcoding the token directly in your plugin configuration, you should use Nuxt's runtime config system: 1. First, modify your nuxt.config.ts to include the token in the runtime config: 
export default defineNuxtConfig({
  runtimeConfig: {
    // Server-side only secrets
    craftCmsAuthToken: process.env.NUXT_CRAFT_CMS_AUTH_TOKEN || '',
    public: {
      // Public config here
    }
  },
  // Your plugin configuration
  craftcms: {
    baseUrl: process.env.NUXT_PRIMARY_SITE_URL,
    // Reference to the token will be handled in the plugin
    debug: false,
  }
})
export default defineNuxtConfig({
  runtimeConfig: {
    // Server-side only secrets
    craftCmsAuthToken: process.env.NUXT_CRAFT_CMS_AUTH_TOKEN || '',
    public: {
      // Public config here
    }
  },
  // Your plugin configuration
  craftcms: {
    baseUrl: process.env.NUXT_PRIMARY_SITE_URL,
    // Reference to the token will be handled in the plugin
    debug: false,
  }
})
2. In your plugin's setup code, access the token using useRuntimeConfig(): 
// In your plugin file
export default defineNuxtPlugin((nuxtApp) => {
  const config = useRuntimeConfig()
  
  // Access the secret token from runtime config
  const authToken = config.craftCmsAuthToken
  
  // Initialize your plugin with the secure token
  // ...
})
// In your plugin file
export default defineNuxtPlugin((nuxtApp) => {
  const config = useRuntimeConfig()
  
  // Access the secret token from runtime config
  const authToken = config.craftCmsAuthToken
  
  // Initialize your plugin with the secure token
  // ...
})
3. Set the actual token value in your environment: - During development: Add to your .env file: NUXT_CRAFT_CMS_AUTH_TOKEN=Bearer iIkWn1cMYA181On591yqdhJluAzI-r1c - In production: Set it as an environment variable on your hosting platform This approach ensures your token is: - Not exposed in client-side code - Not committed to your repository - Configurable through environment variables Remember that the .env file is only used during development and build time. In production, you'll need to set the environment variables directly on your server or hosting platform as mentioned in the Nuxt documentation on environment variables. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
kapa.ai
kapa.ai2d ago
<@1065266379382587422> Kapa.ai is still learning and improving, please let me know how I did by reacting below.
Samuelreichoer
SamuelreichoerOP2d ago
@kapa.ai That's not a good dx, I loose all the ts support and I also need this token on client side requests
kapa.ai
kapa.ai2d ago
Let me check the knowledge base for you again. One moment! :books: ---------------------- I understand your concerns about losing TypeScript support and needing the token for client-side requests. In this case, you have a few options for handling authentication tokens that need to be available on the client side while maintaining TypeScript support. For Client-Side Access with TypeScript Support If you need the token on the client side, you can use runtimeConfig.public instead: 
export default defineNuxtConfig({
  runtimeConfig: {
    public: {
      craftCmsAuthToken: process.env.NUXT_PUBLIC_CRAFT_CMS_AUTH_TOKEN || '',
    }
  },
  // Your plugin configuration with TypeScript support preserved
  craftcms: {
    baseUrl: process.env.NUXT_PRIMARY_SITE_URL,
    debug: false,
    // Other type-checked options here
  }
})
export default defineNuxtConfig({
  runtimeConfig: {
    public: {
      craftCmsAuthToken: process.env.NUXT_PUBLIC_CRAFT_CMS_AUTH_TOKEN || '',
    }
  },
  // Your plugin configuration with TypeScript support preserved
  craftcms: {
    baseUrl: process.env.NUXT_PRIMARY_SITE_URL,
    debug: false,
    // Other type-checked options here
  }
})
Then in your plugin or components: 
const config = useRuntimeConfig()
const authToken = config.public.craftCmsAuthToken
const config = useRuntimeConfig()
const authToken = config.public.craftCmsAuthToken
Important Security Considerations However, be aware that putting authentication tokens in public means they will be visible in the client-side JavaScript bundle. This creates security risks as anyone can inspect your site and extract the token. For client-side authentication, consider these alternatives: 1. App Config: Use app.config.ts if the value is determined at build time and doesn't need to change: 
// app.config.ts
export default defineAppConfig({
  craftcms: {
    authToken: process.env.NUXT_PUBLIC_CRAFT_CMS_AUTH_TOKEN
  }
})
// app.config.ts
export default defineAppConfig({
  craftcms: {
    authToken: process.env.NUXT_PUBLIC_CRAFT_CMS_AUTH_TOKEN
  }
})
Then access it with useAppConfig() in your components. 2. Proxy API Requests: A more secure approach is to create server routes that proxy requests to CraftCMS: 
// server/api/craft/[...].ts
export default defineEventHandler(async (event) => {
  const config = useRuntimeConfig(event)
  // Use private token here to make requests to CraftCMS
  // Return only necessary data to client
})
// server/api/craft/[...].ts
export default defineEventHandler(async (event) => {
  const config = useRuntimeConfig(event)
  // Use private token here to make requests to CraftCMS
  // Return only necessary data to client
})
3. Read-Only Token: As mentioned in a similar case, you could use a read-only token if your CraftCMS setup allows it. If you absolutely must use the token on the client side, understand that it cannot be truly hidden from users and should have limited permissions. Would you like more specific guidance on implementing any of these approaches? Stack Overflow Post discusses similar authentication token challenges in Nuxt. App Config Documentation provides details on using app config for client-side values. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
kapa.ai
kapa.ai2d ago
<@1065266379382587422> Kapa.ai is still learning and improving, please let me know how I did by reacting below.
Samuelreichoer
SamuelreichoerOP2d ago
@kapa.ai How does storyblok or other cms sdks manage this?
kapa.ai
kapa.ai2d ago
Let me check the knowledge base for you again. One moment! :books: ---------------------- Based on the knowledge sources provided, I don't have specific information about how Storyblok or other CMS SDKs manage authentication tokens in Nuxt applications. The knowledge sources don't contain details about Storyblok's implementation or other CMS SDKs' authentication approaches. However, I can share some insights about authentication approaches in Nuxt based on the available information: 1. Cookie-based authentication: Many Nuxt applications use cookies for authentication tokens, which can be accessed both server-side and client-side. The useCookie composable is recommended for this approach as mentioned in a Stack Overflow answer: 
const accessToken = useCookie("accessToken");
accessToken.value = "yourToken"; // sets the cookie
accessToken.value = undefined; // removes the cookie
const accessToken = useCookie("accessToken");
accessToken.value = "yourToken"; // sets the cookie
accessToken.value = undefined; // removes the cookie
This approach works both server-side and client-side, unlike localStorage which is only available on the client side Stack Overflow Post. 2. Nuxt Content Studio uses GitHub authentication or Google authentication for its CMS interface, which might be a different approach than what you're looking for with your custom plugin Nuxt Content Studio Setup. 3. Some developers create custom authentication plugins that handle tokens through a centralized approach, often using Pinia stores to manage state across the application. If you're specifically interested in how Storyblok or other CMS SDKs handle authentication in Nuxt, I'd recommend checking their official documentation or GitHub repositories for implementation details, as this information isn't available in the provided knowledge sources. Would you like me to elaborate on any of these authentication approaches that might be applicable to your use case? ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
kapa.ai
kapa.ai2d ago
<@1065266379382587422> Kapa.ai is still learning and improving, please let me know how I did by reacting below.

Did you find this page helpful?