Example of overriding Secret with custom implementation#17
Open
tophtucker wants to merge 3 commits intomainfrom
Open
Example of overriding Secret with custom implementation#17tophtucker wants to merge 3 commits intomainfrom
tophtucker wants to merge 3 commits intomainfrom
Conversation
mbostock
requested changes
Sep 28, 2021
Member
mbostock
left a comment
mbostock
left a comment
There was a problem hiding this comment.
I worry that this is a fairly significant footgun for folks that don’t understand the implications of hard-coding a secret into their code. Like, is that what we want to recommend? Or should we instead recommend… I dunno, pulling a secret out of localStorage? Or passing the secret as a query parameter? I would like to understand the use case here before we formalize a recommendation.
| | [**custom-fluid-width**](https://github.com/observablehq/examples/tree/main/custom-fluid-width/) | Resize a chart when the window is resized | | ||
| | [**custom-fluid-width-and-height**](https://github.com/observablehq/examples/tree/main/custom-fluid-width-and-height/) | Resize a chart when its container is resized | | ||
| | [**custom-library**](https://github.com/observablehq/examples/tree/main/custom-library/) | Override the Observable Standard Library | | ||
| | [**secret**](https://github.com/observablehq/examples/tree/main/secret) | Override the implementation of Secrets | |
Member
There was a problem hiding this comment.
Suggested change
| | [**secret**](https://github.com/observablehq/examples/tree/main/secret) | Override the implementation of Secrets | | |
| | [**secret**](https://github.com/observablehq/examples/tree/main/secret) | Override the implementation of secrets | |
It’s good to capitalize the Secret function, but I’d prefer to keep the term “secrets” lowercase.
|
|
||
| See it live: https://observablehq.github.io/examples/secret | ||
|
|
||
| Observable lets you configure [Secrets](https://observablehq.com/@observablehq/secrets). Sensitive variables can be stored outside your code and returned by calling `Secret("MY_SECRET_KEY")`, which might return a password like `"$w0rdf1sh"`. If you publish the notebook, the Secret will throw an error instead of returning a value, so that the Secret is not publicly exposed. |
Member
There was a problem hiding this comment.
Suggested change
| Observable lets you configure [Secrets](https://observablehq.com/@observablehq/secrets). Sensitive variables can be stored outside your code and returned by calling `Secret("MY_SECRET_KEY")`, which might return a password like `"$w0rdf1sh"`. If you publish the notebook, the Secret will throw an error instead of returning a value, so that the Secret is not publicly exposed. | |
| Observable lets you configure [secrets](https://observablehq.com/@observablehq/secrets). Sensitive variables can be stored outside your code and returned by calling `Secret("MY_SECRET_KEY")`, which might return a password like `"$w0rdf1sh"`. If you publish the notebook, calling `Secret` will throw an error instead of returning a value so that the secret is not publicly exposed. |
|
|
||
| Observable lets you configure [Secrets](https://observablehq.com/@observablehq/secrets). Sensitive variables can be stored outside your code and returned by calling `Secret("MY_SECRET_KEY")`, which might return a password like `"$w0rdf1sh"`. If you publish the notebook, the Secret will throw an error instead of returning a value, so that the Secret is not publicly exposed. | ||
|
|
||
| Calling `Secret` will also throw an error if you download the notebook — but sometimes, you might be downloading it to run in your own secure setting where you’d like to set the Secret a different way. This example shows how to use your own implementation of the Secret function to provide things like environment variables or API keys without rewriting your code. |
Member
There was a problem hiding this comment.
Suggested change
| Calling `Secret` will also throw an error if you download the notebook — but sometimes, you might be downloading it to run in your own secure setting where you’d like to set the Secret a different way. This example shows how to use your own implementation of the Secret function to provide things like environment variables or API keys without rewriting your code. | |
| Calling `Secret` will also throw an error if you download the notebook — but sometimes, you might be downloading it to run in your own secure setting where you’d like to set the secret a different way. This example shows how to use your own implementation of `Secret` to provide things like environment variables or API keys without rewriting your code. |
|
|
||
| Calling `Secret` will also throw an error if you download the notebook — but sometimes, you might be downloading it to run in your own secure setting where you’d like to set the Secret a different way. This example shows how to use your own implementation of the Secret function to provide things like environment variables or API keys without rewriting your code. | ||
|
|
||
| In this _insecure_ example, index.html gets Secret values from a hardcoded Map. This should never be used in code that would be seen openly on the client side; if you published this index.html publicly on the Web, anyone could read your hardcoded Secrets. |
Member
There was a problem hiding this comment.
Suggested change
| In this _insecure_ example, index.html gets Secret values from a hardcoded Map. This should never be used in code that would be seen openly on the client side; if you published this index.html publicly on the Web, anyone could read your hardcoded Secrets. | |
| In this _insecure_ example, index.html gets secret values from a hardcoded Map. This should never be used in code that would be seen openly on the client side; if you published this index.html publicly on the Web, anyone could read your hardcoded secrets. |
Comment on lines
+7
to
+8
| "name": "tophtest", | ||
| "url": "https://observablehq.com/@tophtest" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Responding to this forum question. It's a little delicate because we gotta be careful not to encourage anyone to use a Map of hardcoded Secrets client-side — but using Secrets with the Runtime API does seem like an important scenario that merits an example.
I thought about making the example call an API with a token, but don't wanna actually call anything and don't want them to see a broken request. And then I thought about using the Secret to decode a message with a Vigenère cipher, simple enough that decryption could be one cell, but figured that was overthinking it and all people need to see is the value!