I believe the trello power-up documentation encourages you to expose your developer appkey and thus is not very security concious. Unless I am missing something of course.
I am going through the tutorials on building a power-up. You can find them here:
And on the atlassian site with working images.
The tutorials refer to the following, amongst others, glitch demo:
The tutorials and the demo has this piece of code:
This client.js is included in the iframes that trello loads for power-up buttons, badges, etc. The thing is, you can inspect the network requests your browser makes to these files, filter for client.js and then just see the source code and find the plain-text appKey in the code. So if you were to actually build a power-up this way, you’d just expose your appKey to everyone looking for it.
Unfortunately, the naming of this is a big ambiguous. But to remove any doubt, yes the API key is intended to be public.
A token generated from an API key is secret and should never be shared. Additionally, the Secret under the OAuth section of https://trello.com/app-key should never be shared and is a secret.
@bentley@jrfischer Wow that IS unclear from the name, but also as a concept. Normally keys like that are to be kept secret.
What is the rationale behind this? Wouldn’t an attack vector be that I use another app’s key to bypass the authentication pop-up in order to obtain secret tokens?
This isn’t any different than you getting a user to grant your own API key access to their account. To be clear, you’re not bypassing authentication - you’re changing the API key which the token is tied to.