diff --git a/packages/migrate-tool/.env.example b/packages/migrate-tool/.env.example index 0e8b837a315..ddb9f2b3a31 100644 --- a/packages/migrate-tool/.env.example +++ b/packages/migrate-tool/.env.example @@ -19,10 +19,11 @@ VITE_GOOGLE_CLIENT_ID=your-google-oauth-client-id.apps.googleusercontent.com GOOGLE_CLIENT_ID=your-google-oauth-client-id.apps.googleusercontent.com AUTH_SESSION_SECRET=at-least-32-character-secret-for-jwt-signing -# Audius bearer token. Backend only. Used with the API key above so the -# server can act on behalf of users who have authorized the developer app. +# Audius API secret. Backend only. Used with the API key above so the +# server can authenticate the developer app and sign its requests. Never +# expose this in the browser. AUDIUS_API_KEY= -AUDIUS_BEARER_TOKEN= +AUDIUS_API_SECRET= # Optional escape hatch for programmatic/CLI access to the admin endpoints # (list/approve/reject) via "Authorization: Bearer ". The admin UI diff --git a/packages/migrate-tool/README.md b/packages/migrate-tool/README.md index 7564543d0c3..183eb9b40c6 100644 --- a/packages/migrate-tool/README.md +++ b/packages/migrate-tool/README.md @@ -64,12 +64,12 @@ You'll need: ### 2. Audius developer app Create a developer app at → Developer Apps. You'll -get an **API Key** and a **Bearer Token**. +get an **API Key** and an **API Secret**. - `VITE_AUDIUS_API_KEY` — the API key (safe in the browser; baked into the build) - `AUDIUS_API_KEY` — same API key, for the backend -- `AUDIUS_BEARER_TOKEN` — backend-only; grants the app permission to act on - behalf of users who have authorized it via OAuth +- `AUDIUS_API_SECRET` — backend-only; authenticates the app and signs its + requests server-side. Never expose this in the browser. You'll also need to whitelist the deployment's OAuth redirect URI in the dev app's settings (e.g. `https://migrate.audius.co/`). @@ -101,7 +101,7 @@ npx vercel link npx vercel env add VITE_AUDIUS_API_KEY npx vercel env add VITE_GOOGLE_CLIENT_ID npx vercel env add AUDIUS_API_KEY -npx vercel env add AUDIUS_BEARER_TOKEN +npx vercel env add AUDIUS_API_SECRET npx vercel env add GOOGLE_CLIENT_ID npx vercel env add AUTH_SESSION_SECRET npx vercel env add ADMIN_BEARER_TOKEN # optional escape hatch diff --git a/packages/migrate-tool/api/_lib/audius.ts b/packages/migrate-tool/api/_lib/audius.ts index 62da71f84cd..af089d1a4a5 100644 --- a/packages/migrate-tool/api/_lib/audius.ts +++ b/packages/migrate-tool/api/_lib/audius.ts @@ -6,13 +6,12 @@ import { let serverSdk: AudiusSdkWithServices | null = null /** - * Server-side SDK initialized with the developer app's API key + bearer - * token. The bearer token grants the app permission to act on behalf of - * any user who has authorized it via OAuth. + * Server-side SDK initialized with the developer app's API key + API + * secret. The API secret authenticates the app and lets it sign requests + * server-side, so it must never be exposed in browser or mobile code. * - * Per the SDK README: "Bearer Token — backend only. Grants your app the - * ability to act on behalf of users who have authorized it. Never expose - * this in browser or mobile code." + * Per the SDK README: "apiSecret should only be provided server side so + * that it isn't exposed." * * We use createSdkWithServices (rather than the public sdk() factory) so * sdk.tracks is the wrapped TracksApi with friendly helpers like @@ -22,15 +21,15 @@ let serverSdk: AudiusSdkWithServices | null = null export function getServerSDK(): AudiusSdkWithServices { if (serverSdk) return serverSdk const apiKey = process.env.AUDIUS_API_KEY - const bearerToken = process.env.AUDIUS_BEARER_TOKEN - if (!apiKey || !bearerToken) { + const apiSecret = process.env.AUDIUS_API_SECRET + if (!apiKey || !apiSecret) { throw new Error( - 'AUDIUS_API_KEY and AUDIUS_BEARER_TOKEN must be set on the server.' + 'AUDIUS_API_KEY and AUDIUS_API_SECRET must be set on the server.' ) } serverSdk = createSdkWithServices({ apiKey, - bearerToken, + apiSecret, appName: 'AudiusTrackMigration' }) return serverSdk