Yorkie API key is been leaking

[green-kong]

What happened: Yorkie API key is been leaking in browser

What you expected to happen: Of course it shouldn't be..

How to reproduce it (as minimally and precisely as possible):
In browser development tool > source tab. you can find api key easily

Anything else we need to know?:

Environment:

• Operating system:
• Browser and version:
• CodePair version:

[devleejb]

Thank you for creating the issue!

The key in question is a public API key used on the frontend, so it should remain there. In contrast, our secret key for Yorkie is securely stored on the backend.
For fine-grained access control, Yorkie provides an authentication webhook.

[green-kong]

Thank you for responding @devleejb

I misunderstood something.
I thought that public key is different by code pair user.
I didn't know Codepair uses single yorkie account.
I was worried about that public key is on my own.

But we are still on the problem.
Codepair can control role of document's participant.

Let's think about this case.
If I have an only read role on your document.
But as i said, I can get public key easily.

According to yorkie documents, I can make a yorkie client only with public key.
And getting document key is much easier.

With these information, open up the vscode, write a few line of code...

voilà! I just screwed up your document!

I know you can think I am going too much.
But as u know security can't have a limit lol.
I just wanted to let you know that it could be misused in this way, mate.

[devleejb]

Yes, that’s correct.

Actually, this is a known issue. One way to address it is by enabling the Authentication Webhook. However, for various reasons, we haven’t enabled it yet. I believe now is the right time to consider enabling it. Thank you for bringing this up! I’ll discuss it with the other maintainers.

FYI, CodePair already supports authentication webhook endpoint: POST /check/yorkie