I believe the trello power-up documentation encourages you to expose your developer appkey and thus is not very security concious. Unless I am missing something of course.
I am going through the tutorials on building a power-up. You can find them here:
And on the atlassian site with working images.
The tutorials refer to the following, amongst others, glitch demo:
The tutorials and the demo has this piece of code:
appName: 'My Trello App'
This client.js is included in the iframes that trello loads for power-up buttons, badges, etc. The thing is, you can inspect the network requests your browser makes to these files, filter for
client.js and then just see the source code and find the plain-text
appKey in the code. So if you were to actually build a power-up this way, you’d just expose your
appKey to everyone looking for it.
Again, I might be missing something.
Apparently API keys are intended to be public.
Have a look here. I had the same question/concern.
Think of an API key as being an application. If it is the API key that is tied to your account (you got it from https://trello.com/app-key), then you are the admin of the application. You prompt users via the authorization flow to grant access to their accounts to your application. This generates a token that can be used to access the user’s account. As an application admin, you will have a single API key that has been used to generate many tokens. Each token belongs to a single user (of which,…
Unfortunately, the naming of this is a big ambiguous. But to remove any doubt, yes the API key is intended to be public.
A token generated from an API key is secret and should never be shared. Additionally, the
Secret under the
OAuth section of https://trello.com/app-key should never be shared and is a secret.
@bentley @jrfischer Wow that IS unclear from the name, but also as a concept. Normally keys like that are to be kept secret.
What is the rationale behind this? Wouldn’t an attack vector be that I use another app’s key to bypass the authentication pop-up in order to obtain secret tokens?
This isn’t any different than you getting a user to grant your own API key access to their account. To be clear, you’re not bypassing authentication - you’re changing the API key which the token is tied to.
Matt and I recorded a video to talk more about API keys and secrets and how best to manage both in your Power-Up: