Securely access .env variable
Unanswered
Yellowhead catfish posted this in #help-forum
Yellowhead catfishOP
I'm using the
use-last-fm hook (https://github.com/alii/use-last-fm) but it requires an API key, how would I securely access the API key from my .env file?24 Replies
Yellowhead catfishOP
bump
Styrian Coarse-haired Hound
1. create .env.local file
2. to the file, add key with the name REACT_{KEY NAME}={KEY VALUE}
3. when you need to use the key, write this code:
const apikey = process.env.REACT{KEY NAME};
4. make sure you dont send your .env.local file to github or any other version control system. the key will be used when you ship your app to production, but wont be visible to anyone using the app
2. to the file, add key with the name REACT_{KEY NAME}={KEY VALUE}
3. when you need to use the key, write this code:
const apikey = process.env.REACT{KEY NAME};
4. make sure you dont send your .env.local file to github or any other version control system. the key will be used when you ship your app to production, but wont be visible to anyone using the app
@Styrian Coarse-haired Hound 1. create .env.local file
2. to the file, add key with the name REACT_{KEY NAME}={KEY VALUE}
3. when you need to use the key, write this code:
const api_key = process.env.REACT_{KEY NAME};
4. make sure you dont send your .env.local file to github or any other version control system. the key will be used when you ship your app to production, but wont be visible to anyone using the app
Yellowhead catfishOP
REACT? i thought its NEXT_PUBLIC or something..
but will it still be secure even if its a client component
but will it still be secure even if its a client component
@Yellowhead catfish I'm using the `use-last-fm` hook (<https://github.com/alii/use-last-fm>) but it requires an API key, how would I securely access the API key from my .env file?
this hook is intended to be used on the client so if you want to expose an environment variable to the client it should be prefixed with
NEXT_PUBLIC_. anyone can see it in the bundle so make sure the key you use is supposed to be public@Yellowhead catfish REACT? i thought its NEXT_PUBLIC or something..
but will it still be secure even if its a client component
Styrian Coarse-haired Hound
idk, the last time I used .env.local, it was with a react app, then I switched to nextjs
@Rafael Almeida this hook is intended to be used on the client so if you want to expose an environment variable to the client it should be prefixed with `NEXT_PUBLIC_`. anyone can see it in the bundle so make sure the key you use is supposed to be public
Yellowhead catfishOP
well it's an API key it should be hidden but I need to access it in order to use the hook
American Crow
FYI
OP wants to hit this endpoint
created a custom hook
https://github.com/alii/use-last-fm/blob/master/src/index.ts
----
Solution IMO:
You'll have to go the detour of creating a routehandler (endpoint) e.g.
Inside that endpoint (route.ts) you can securely read in your API key.
Move the communication with lastFM API into this newly created endpoint
After that adjust your
OP wants to hit this endpoint
const endpoint = `//ws.audioscrobbler.com/2.0/?method=user.getrecenttracks&user=${username}&api_key=${token}&format=json&limit=1`;created a custom hook
useLastFMand fetch with useSWRhttps://github.com/alii/use-last-fm/blob/master/src/index.ts
----
Solution IMO:
You'll have to go the detour of creating a routehandler (endpoint) e.g.
app/myLastFM/route.tsInside that endpoint (route.ts) you can securely read in your API key.
Move the communication with lastFM API into this newly created endpoint
After that adjust your
useLastFM & useSWR to fetch your newly created endpoint /api/myLastFM .American Crow
// Edit
Solution 2:
If you are willing to do everything server side:
Create Server component and do everything there using a normal
(But i think you don't want that reading this thread)
Solution 2:
If you are willing to do everything server side:
Create Server component and do everything there using a normal
fetch(But i think you don't want that reading this thread)
@Yellowhead catfish well it's an API key it should be hidden but I need to access it in order to use the hook
in order to use the hook you have to send the api key to the client
so @American Crow’s solution 2 is best
you could also use an api route if you wanted
instead of server components
that would hide the api key
Yellowhead catfishOP
thank you guys for all the good ideas I'll try them out once I'm home :)
@American Crow // Edit
Solution 2:
If you are willing to do everything server side:
Create Server component and do everything there using a normal `fetch`
(But i think you don't want that reading this thread)
Yellowhead catfishOP
no clue how to do this since my index page is client component since it uses other hooks and stuff
@American Crow FYI
OP wants to hit this endpoint
const endpoint = `//ws.audioscrobbler.com/2.0/?method=user.getrecenttracks&user=${username}&api_key=${token}&format=json&limit=1`;
created a custom hook `useLastFM`and fetch with `useSWR`
https://github.com/alii/use-last-fm/blob/master/src/index.ts
----
Solution IMO:
You'll have to go the detour of creating a routehandler (endpoint) e.g. `app/myLastFM/route.ts`
Inside that endpoint (route.ts) you can securely read in your API key.
Move the communication with lastFM API into this newly created endpoint
After that adjust your `useLastFM` & `useSWR` to fetch your newly created endpoint `/api/myLastFM` .
Yellowhead catfishOP
well i tried making my fork of the library and making it read process.env.LASTFM_KEY but i cant figure out how to install it
@Yellowhead catfish no clue how to do this since my index page is client component since it uses other hooks and stuff
American Crow
make an empty server component the new index page (page.tsx). Rename your current client index page to ClientComponent (or a fitting name). Open the new page.tsx (now an empty server component) and import the client component
Yellowhead catfishOP
oh
American Crow
After that do the fetch in the server component
and pass data down into the client component
const data = await fetch('http://audoscroblerwhateverthefuck')and pass data down into the client component
Yellowhead catfishOP
that makes sense to be fair
thank you ill try that
yeah you cant use this library and have the api key hidden
because the hook will only run on a client component
and for you to run the hook on the client you have to expose the api key to the client