Purpose of this Process:
I want to have some analytics tracking for unauthenticated user experience. And so I want to protect my backend analytics APIs to entertain requests only coming from my FE client. So I need a way to inject those secrets only via frontend.
I have a JWT Key in my FE as:
JWT_KEY=SOME_SUPER_SECRET_KEY
Now whenever I request my backend APIs, I use this key using process.env.JWT_KEY to sign a JWT token :-
const newToken = jwt.sign({userData},process.env.JWT.KEY)
Now my question is that if I don't log my process environment variables on my client-side anywhere would the FE client still be able to get the JWT token by any chance?
I know that
const newToken = jwt.sign({userData},process.env.JWT.KEY)
is going to run on the client side but would it also expose env variables? Is there any way to protect these variables from not being exposed to client-side at all?
If you are using the KEY on your frontend, YES they can see the variable. Seems like you are using a frontend framework. If you build the project, you can see the KEY will be hardcoded somewhere in the code