node-google-spreadsheet icon indicating copy to clipboard operation
node-google-spreadsheet copied to clipboard

Published 20 hours ago verified publisher icon theoephraim

Service Account security issues

Open supasheva opened this issue 3 years ago • 1 comments

Context

I was testing this Google spreadsheet package and I realized I could make use of my service account. After setting up my config I was playing around with the methods and functions.

Process

After setting up the configuration I did a console log of the object await doc.useServiceAccountAuth({ client_email: config.client_email, private_key: config.private_key, }); await doc.loadInfo(); // loads document properties and worksheets console.log("document information") console.log(doc);

Expected result

I was expecting to see the document object but i didn't expect it to also include my google service key in the document object.

Possible Fix

Is there a way to obfuscate/encrypt the data in this object (particularly with the key) on this end? I know I can try to just not call this method but it seems like an issue that this sensitive data is able to be returned still.

supasheva avatar Jun 04 '21 08:06 supasheva

Are you just worried about accidentally logging it and it being sent off to some logging service?

theoephraim avatar Nov 07 '21 18:11 theoephraim

I've now mostly offloaded the auth to google-auth-library, and when I log their objects directly, they include the tokens unhidden. I could potentially just hide the doc.auth property, but I'm not so sure that is the best idea...

Going to close this.

theoephraim avatar Jun 27 '23 07:06 theoephraim