-1

So, I have a functional application that is working fine, I', using Next.js and Next.js api tool to do all the requests. I'm using sanity.io for my backend. Thats all ok.

For my sanity config, I have a configuration file called 'sanity.js', that's have all the sensitive content.

enter image description here

enter image description here

What is the deal, if the user go into source in the develop console, he founds all the sensitive data. I know if I put this "const config" and "const editor" inside the API, this data will be hidden, but I need to use this 'const config' in more than 1 file, and I don't want to repeat code.

1st doubt: Is there some way to do this process without repeating code, like creating a configuration file inside API, and reuse the const's inside it.

2st doubt: The const 'urlFor' is used in the frontend to manage the images, how to deal with this if the configuration file must be only in the API, and the 'urlFor' needs this configuration in parameter to run properly.

Caio b .
  • 15
  • 4
  • Your code is visible in the frontend because you imported your function in the frontend – Konrad Nov 21 '22 at 20:29
  • 2
    The project id, dataset and api version are not sensitive data and they will be visible in all of your queries, so they can be safely exposed to the browser. The token however, is sensitive indeed. Don't expose the token to the browser with `NEXT_PUBLIC` prefix. – ivanatias Nov 21 '22 at 21:04
  • Thank you so much ivanatias, it works – Caio b . Nov 21 '22 at 22:25

1 Answers1

1

projectId, dataset and apiVersion are not considered sensitive data and they will be visible in all of your queries, so they can be safely exposed to the browser. The token however, is sensitive indeed. Don't expose the token to the browser with NEXT_PUBLIC prefix as the value will be inlined into JavaScript sent to the client.

ivanatias
  • 3,105
  • 2
  • 14
  • 25