Next.js 中的令牌可见性
[英]Token visibility in Next.js
问题描述
Is a fetch request token in a next.js app visible to a client side user?
客户端用户是否可以看到 next.js 应用程序中的获取请求令牌?
I must to prepare an application using GitHub GraphQL API. I though about using fetch request with a bearer token for it, but I have a doubts about security and good practices in my app.我必须使用 GitHub GraphQL API 准备一个应用程序。我虽然考虑使用带有不记名令牌的获取请求,但我对我的应用程序中的安全性和良好实践有疑问。
fetch((`https://api.github.com/graphql`, {
method: 'POST',
headers: {
"Content-Type": 'application/json',
'Authorization': 'Bearer ' + TOKEN,
},
body: JSON.stringify({
query: `
{
search(query: "is:public", type: REPOSITORY, first: 10) {
repositoryCount
pageInfo {
endCursor
startCursor
}
edges {
node {
... on Repository {
name
}
}
}
}
}
`
})
}))
1 个解决方案
解决方案1
0 2021-10-07 03:30:57
According to the Next.js docs , you need to create a .env.local file at the root of the project directory and add the secrets.根据 Next.js 文档,您需要在项目目录的根目录下创建一个.env.local文件并添加机密。
When adding secrets, you need to prefix the secret with NEXT_PUBLIC_ to expose it to the browser.添加secret时,需要在secret前加上NEXT_PUBLIC_前缀,暴露给浏览器。 For example:例如:
NEXT_PUBLIC_GITHUB_TOKEN=amogussus
According to the docs:根据文档:
The value will be inlined into JavaScript sent to the browser because of the
NEXT_PUBLIC_prefix.NEXT_PUBLIC_前缀,该值将被内联到发送到浏览器的 JavaScript 中。
Then you might add it into your code with process.env.NEXT_PUBLIC_GITHUB_TOKEN然后你可以使用process.env.NEXT_PUBLIC_GITHUB_TOKEN将它添加到你的代码中
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.