Comments (9)
you could implement a proxy api call so instead use blockfrost url, you can use a custom rest api to your backend and then from there call blockfrost to get the data so you don't need to expose your project id to the front end
from lucid.
According to @Traka-Dev's suggestion, I created an example repo for doing this with next.js: https://github.com/GGAlanSmithee/cardano-lucid-blockfrost-proxy-example
It also handles multiple blockfrost projects (for different networks) and for switching between networks.
Only implemented with the nami wallet for now, as a testbed. Please check it out.
from lucid.
I don't see it as a "big" issue. What would be your alternative approach?
If you don't want to expose it at all costs, then you likely have to implement your own provider into Lucid.
from lucid.
Are you fine then if community use your blockfrost API key? I think that it's worth to think about safer alternative
from lucid.
I don't see it as a "big" issue. What would be your alternative approach? If you don't want to expose it at all costs, then you likely have to implement your own provider into Lucid.
I'm not sure. But it is indeed a problem, because other people can use your API key (spending your money)
from lucid.
you could implement a proxy api call so instead use blockfrost url, you can use a custom rest api to your backend and then from there call blockfrost to get the data so you don't need to expose your project id to the front end
This is the recommended way to do it. Create a serverless function for the proxy request.
from lucid.
Could be for just testing, otherwise use it on nodejs as backend (https://github.com/blockfrost/blockfrost-js)
from lucid.
To add to this conversation, even if you proxy the Blockfrost API calls, there is nothing stopping an advesary from abusing your API endpoints and by extension you Blockfrost account.
In similar services that I've used before - Infura and magic.link - they allow you to whitelist domains, which would solve both issues, because in that case, it does not mather if your API key is public.
Until that is in place / if they don't implement it, you could use headers, like x-real-ip
and x-forwarded-for
to prevent this, but to my knowledge, they can be spoofed. Either way, I will update the example repo with this.
from lucid.
I got an answer from Blockfrost:
Hi Alan,
Thanks a lot for the feedback, we really appreciate it! I've shared the GitHub issue with the team and discussed it. We also added a section to our docs: https://blockfrost.dev/docs/start-building/tips-tricks#securing-the-api-key
Although the best practice for securing the project_id is to never expose it publicly (eg. in client-side code), we do understand the current state of our industry and the needs of our customers. In the near future, we plan to introduce whitelisting based on origin domains, IPs, user agents and specific endpoints, which will help lowering the abuse.
However, even with restricting the project_id to certain domains or user-agents it will not completely prevent a potential abuse of the project_id as spoofing this information is trivial for any determined attacker.
Without a separated app backend, I believe there is really no 100% way of securing the api key. This applies to the infura domain whitelisting, too.
Cheers,
Peter
Blockfrost.io
The information on the linked page more or less reaffirms what @Traka-Dev said
from lucid.
Related Issues (20)
- getUtxosByOutRef consistency across providers
- Attaching a datum to genesis UTxOs in Emulator
- Unable to build a "Bid transaction" of an english auction with lucid API HOT 2
- Wallet from seed doesn't sign transaction spending only UTXOs locked with enterprise address HOT 1
- How to build transaction whose input is from zero address and output is also zero address? HOT 2
- Potential External Memory Leak - External Resources not being collected. HOT 2
- Unclear mapping of data structures between lucid and aiken HOT 1
- Add Docs for Vite/SvelteKit HOT 1
- Nami requests signature fee instead of requesting payment?
- Nami requests signature fee instead of requesting payment? HOT 1
- next 13 and lucid HOT 2
- No "exports" main defined in package.json HOT 2
- Fee Estimation issue when building contract remdemption TX on the backend. HOT 1
- `'amounts-as-strings': 'true'` for Maestro provider endpoints
- "Max collateral inputs reached" HOT 2
- Merging change utxos in minting transaction HOT 1
- No "exports" main defined while using lucid-cardano with typescript.
- vite node vue3 http://127.0.0.1:4001/node_modules/.vite/deps/cardano_multiplatform_lib_bg.wasm 404 (Not Found)
- Unlock transaction: Uncaught (in promise) Redeemer (Spend, 0): Failed to deserialise PlutusData using UnConstrData: HOT 6
- Nextjs 14 and context
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lucid.