Hey there !
I am building using external apis that do require client secret and client ID keys for the calls
This topic is mainly about safety
Here are the questions :
- If I understood well, api connector ins’t safe to pass secret Keys? (anyway I do all my calls thanks to JavaScript and its amazing)
- Even with javascript, doing my calls in th frontend isn’t safe
a. Is there a way to have a “vault” to store these keys and avoid issues (sounds impossible but …)
b. Using supabase, I think the best solution would be Edge Functions where the secret keys are stored - However, edge functions looks hard - any tips on deploying them easily ? - any ressources to share ? also, calling these functions should be sone using javascript in weweb ?
Thanks a lot, weweb is amazing and still suprizes me
I was just today writing a Postgres Function to hit an API, so if you’re feeling safer in SQL and PG Functions, you can use pgsql-http
oh sounds cool ! I didnt know postgre could handle http ! thanks !
Yeah, it’s not built for going nuts and making a ChatGPT wrapper using PG Functions, but some general purpose stuff now and then, it might be worth a shot.
Yeah ! Thanks for that i’ll dig into it ! (or go for edge functions… ) Thanks again !
Hey @Broberto !
I dived into supabase postgre function and managed to make it work in supabase SQL editor so thank you!
However, to keep my keys safe, I am using the vault (and it works in the supabase SQL editor) - However when calling the function in weweb
(using : const { data, error } = await wwLib.wwPlugins.supabase.instance.rpc(‘my_function’); )
=> I have an error in the logs : ““code : 42501, details: null, hint:null, error: “permission denied for schema vault”””
=> Idk how to grant acess to the vault and the secret key to the backend while not exposing it in the frontend…
Any hints ?
Thanks again !
Could you share the function? Or is it sensitive?
It is indeed a bit sensitive
But I’m getting the keys this way :
SELECT decrypted_secret INTO client_credentials_encoded
FROM vault.decrypted_secrets
WHERE name = ‘secret_key’
Yet it works when calling the function from the SQL editor … just not working in the frontend because of the vault … I think there is something i dont get with supabse vault haha… Saw I could grand access to a role but i dont want to allow the user to see it… Chat GPT suggests to create a backend role but it’s not clear …
or maybe I just did not get how works the vault haha
Can I grant he vault acess to authenticated users without exposing them the decrypted value ? (access to the secrets but not to the decrypted secrets view …?)
I had an answer from supabase !
Just adding the “security definer” enables granting the access to the postgres role and therefore the backend - works now !!
Yes, I wanted to propose this. But it is defying the purpose of using auth. You’re saying, run this function always as the one who defined it (pgsql admin) and dont look at the invoker (auth)
I used Fastgen to protect my keys just recently. It’s a backend like xano, but better. Also works with supabase I heard. You might want to try that one out also.
Alright thanks for the tips
I think that this is sufficent as my keys are protected
Thanks again