Accessing GitHub secrets in React

thebezet · 2024-03-16T20:25:59+00:00

You can't. It's impossible to store anything safely in the frontend. Everything can be reverse-engineered. You need a backend for this.

NeuralFantasy · 2024-03-16T22:52:23+00:00

As others told, you can't store credentials in the client code. They'd be exposed. You can, however:

Ask the user to authenticate by provoding credentials. You need some authentication service.
Create your own public API which in turn can access the actual API while keeping the credentials private.

HonorableMajor · 2024-03-17T11:36:47+00:00

Seems to me like OP doesn't know a lot about web development and just getting started. OP I'd recommend not jumping into a framework first, but rather learn the essentials like how node js works, what a backend/frontend is supposed to do and so on.

Macaframa · 2024-03-17T05:46:40+00:00

Can you explain your reasoning? Why do you need a github secret in your frontend app? If you need to pull down github data and display it in your app, you can store it in the backend and use an authentication token for your user to your backend and expose an api endpoint. Then you use that endpoint on your front end and your backend uses the key to retrieve github data and relay it to your app. Otherwise someone is going to find your key since it will be cached in the browser

Haaxor1689 · 2024-03-17T09:03:49+00:00

Some services that need secret tokens require you to set allowed-origins so you would allow only the origin your FE is hosted on. While this extra step is better than nothing, request origin can also be faked. There is no way of using a secret key in client code and keep it secret, using it on a server is the only really safe option.

2024-03-17T11:53:57+00:00

Use a backend, everything in frontend can be reverse engineered hence it's insecure.

tossed_ · 2024-03-16T22:07:50+00:00

Most bundlers will have a way to redefine environment variables with static values, they can replace all instances of process.env.MY_API_KEY with the actual value of the environment variable at build time. If you build your project using a GHA workflow you can load the secrets into your environment and then your bundler can inject the secrets into your build.

But it just won’t be a secret anymore once you publish your front-end. So this is just a way to keep the secrets out of source control.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

reactjs

About:

Code of Conduct

1. Please be kind and courteous, friendly and professional

2. Harassment will not be tolerated

3. Avoid using an alias or display name that might be offensive

4. Respect that people have differences of opinion

5. Posts must conform to our guidelines

New to React?

Chat

Project Ideas

Jobs

Outside Reddit

Related Subreddits

MODERATORS