From ef86bf5cba65af3dc3db10944cec8d40d848daaa Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Fri, 13 Apr 2018 09:33:55 +0200 Subject: [PATCH] Use API key instead of clientSecret As recently discovered we send the clientSecret to the webclient which is potentionally dangerous. This patch should fix the problem and replace the clientSecret with the originally intended and correct way to implement it using the API key. Signed-off-by: Sheogorath --- app.js | 2 +- lib/config/default.js | 1 + lib/config/environment.js | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/app.js b/app.js index fcf905d59..63b880c73 100644 --- a/app.js +++ b/app.js @@ -33,7 +33,7 @@ var data = { urlpath: config.urlPath, debug: config.debug, version: config.version, - GOOGLE_API_KEY: config.google.clientSecret, + GOOGLE_API_KEY: config.google.apiKey, GOOGLE_CLIENT_ID: config.google.clientID, DROPBOX_APP_KEY: config.dropbox.appKey, allowedUploadMimeTypes: config.allowedUploadMimeTypes diff --git a/lib/config/default.js b/lib/config/default.js index 68849d361..db0c03629 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -104,6 +104,7 @@ module.exports = { appKey: undefined }, google: { + apiKey: undefined, clientID: undefined, clientSecret: undefined }, diff --git a/lib/config/environment.js b/lib/config/environment.js index 3dde47869..8e1e51711 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -74,6 +74,7 @@ module.exports = { appKey: process.env.HMD_DROPBOX_APPKEY }, google: { + apiKey: process.env.HMD_GOOGLE_APIKEY, clientID: process.env.HMD_GOOGLE_CLIENTID, clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET },