gatsby-storyblok-boilerplate icon indicating copy to clipboard operation
gatsby-storyblok-boilerplate copied to clipboard

Published 20 hours ago verified publisher icon storyblok

Remove preview token from public component

Open sherakama opened this issue 2 years ago • 0 comments

Remove Preview Token From Public Component

From your documentation at https://www.storyblok.com/docs/api/content-delivery/v2#core-resources/stories/stories

Public and Preview tokens are read only and do not allow you or others to write or delete entries in your space. The public token can be published.

There is no mention that preview tokens can be published and to me that is correct. You should not have the preview token in a public component as someone could use that to see unpublished content.

IMHO, you should not have any of the access tokens available on the front end and all of the access tokens should be hidden by an API service layer or only available at build time. I would also recommend that this project does not use the naming convention GATSBY_ as that naming convention is reserved for variables that are supposed to go into the front end. https://www.gatsbyjs.com/docs/how-to/local-development/environment-variables/#accessing-environment-variables-in-the-browser

sherakama avatar Feb 22 '23 06:02 sherakama