Trello Power-Up demo code exposes appkey

Hi,

I believe the trello power-up documentation encourages you to expose your developer appkey and thus is not very security concious. Unless I am missing something of course.

I am going through the tutorials on building a power-up. You can find them here:

https://tech.trello.com/power-up-tutorial-part-one/

And on the atlassian site with working images.

The tutorials refer to the following, amongst others, glitch demo:

The tutorials and the demo has this piece of code:

// client.js
TrelloPowerUp.initialize({ //...
}, {
  appKey: 'your_key_here',
  appName: 'My Trello App'
});

This client.js is included in the iframes that trello loads for power-up buttons, badges, etc. The thing is, you can inspect the network requests your browser makes to these files, filter for client.js and then just see the source code and find the plain-text appKey in the code. So if you were to actually build a power-up this way, you’d just expose your appKey to everyone looking for it.

Again, I might be missing something.

1 Like

Apparently API keys are intended to be public.

Have a look here. I had the same question/concern.

2 Likes

Unfortunately, the naming of this is a big ambiguous. But to remove any doubt, yes the API key is intended to be public.

A token generated from an API key is secret and should never be shared. Additionally, the Secret under the OAuth section of https://trello.com/app-key should never be shared and is a secret.

@bentley @jrfischer Wow that IS unclear from the name, but also as a concept. Normally keys like that are to be kept secret.

What is the rationale behind this? Wouldn’t an attack vector be that I use another app’s key to bypass the authentication pop-up in order to obtain secret tokens?

This isn’t any different than you getting a user to grant your own API key access to their account. To be clear, you’re not bypassing authentication - you’re changing the API key which the token is tied to.