Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: remove sensitive information from the client side #98

Closed
wants to merge 1 commit into from
Closed

fix: remove sensitive information from the client side #98

wants to merge 1 commit into from

Conversation

vinhtrinh
Copy link

Summary

Describe the changes proposed in this pull request:

  • Sensitive Adyen information is currently exposed to the client side through application configurations.
  • To address this security issue, we need to relocate the Adyen configurations to a more secure location, such as config/{siteId}/adyen.js.
  • This PR includes a cloned script from a new feature request in the PWA main repository.
    • Once the PR in @salesforce/pwa-kit is approved and merged, we can remove this temporary module.
    • If the PR is not approved, we can retain the custom getConfig module as a permanent solution.

Types of Changes

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Documentation update
  • Breaking change (could cause existing functionality to not work as expected)
  • Other changes (non-breaking changes that does not fit any of the above)

Examples of usage:

// file: config/RefArch/adyen.js
module.exports = {
    apiKey: process.env.ADYEN_API_KEY,
    clientKey: process.env.ADYEN_CLIENT_KEY,
    environment: process.env.ADYEN_ENVIRONMENT,
    merchantAccount: process.env.ADYEN_MERCHANT_ACCOUNT,
    systemIntegratorName: process.env.SYSTEM_INTEGRATOR_NAME,
    webhookUser: process.env.ADYEN_WEBHOOK_USER,
    webhookPassword: process.env.ADYEN_WEBHOOK_PASSWORD,
    webhookHmacKey: process.env.ADYEN_HMAC_KEY
}

// Gets Adyen configurations from default `RefArch` site
import {getSiteConfig} from '@salesforce/pwa-kit-runtime/utils/ssr-config'

const adyenConfig = getSiteConfig('adyen')

General

  • Changes are covered by test cases
  • There are no changes to UI

Fixed Issue: #97
Resolved By: SalesforceCommerceCloud/pwa-kit#1639

@vinhtrinh vinhtrinh force-pushed the feature/fix-sensitive-info-exposed-to-client branch from 6f41ad5 to 7b180b5 Compare January 16, 2024 17:31
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jan 16, 2024

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@amihajlovski
Copy link
Collaborator

Hello @vinhtrinh

This PR will add extra dependencies and we don't want to do that.
We are working on another solution that will keep the environment variables on the backend only.

Kind Regards
Aleksandar
Adyen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amihajlovski amihajlovski Awaiting requested review from amihajlovski amihajlovski is a code owner

@shanikantsingh shanikantsingh Awaiting requested review from shanikantsingh shanikantsingh is a code owner

@zenit2001 zenit2001 Awaiting requested review from zenit2001 zenit2001 is a code owner

@ShubhamVijaivargiya ShubhamVijaivargiya Awaiting requested review from ShubhamVijaivargiya ShubhamVijaivargiya is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vinhtrinh @amihajlovski