I’ve just created my first ever power-up and am getting this error, despite having added a number of specific domains:
My power-up is a remix of the trello-developed card snoozer (as linked as an example to start from in the developer documentation). Didn’t change much yet, except a few strings and I’ve added my API-key to the power-up’s environment variables (though that didn’t seem to make a difference).
Using Chrome latest.
Any suggestions to what might be going on?
I split this off into its own topic from the original announcements post since that change went live quite awhile ago: Pure wildcard ("*") allowed origins on app keys will no longer be recognized and will be fully deprecated - #31
Is the Glitch project public? Happy to take a look.
Can you confirm that the key you see in the URL when you see the error is the same as your API key?
Yes, the project is public (free account ) Glitch :･ﾟ✧
And no, the dialog has key=5d801b206070c5332a841ec7b00ef21a in its URL query string which isn’t the key I get when I visit trello.com/app-key and entered in the environment variables.
Located that string in the source and replaced it with my app-key.
That solved the issue.
Thanks for the hint
Now for how to get that key out of the environment var and not have it hardcoded in the source…
Nice! Glad to hear it.
Here is an example of how we do it elsewhere: Glitch :･ﾟ✧
Although this isn’t pulling it from the environment variables, it is attempting to have a single source of truth for your API key (the client.js file) and passes that value along to sub-components that need it.
FWIW, it is OK for the API key to be publicly available–they are not intended to be kept secret. User consent tokens and app secrets are the two things you’d not want to share.
One way you could get it from environment variables is, Instead of having the node server return the static file via the
app.use(express.static('public')); you could catch the request for
client.js explicitly and serve it with the API key as a query param and then pull that value in on
Or you could use a template engine of some sort (like mustache) and use it to fill in the API key into whatever static files you need it in.
Thank you so much, @bentley. Very helpful!
And thanks for the reminder that the app-key doesn’t have to be secret. That makes life a whole lot easier. I’ll leave it in the auth file then – seems the appropriate place