Security: Remove NEXT_PUBLIC_ prefix from Cloudflare R2 credentials #697
Description
Problem
Cloudflare R2 credentials (ACCOUNT_ID, ACCESS_KEY_ID, SECRET_ACCESS_KEY) are currently using the NEXT_PUBLIC_ prefix in environment variables, which exposes these sensitive secrets to the browser bundle.
While r2Client.ts is intended for server-side use only, it gets included in the client bundle because:
- Frontend code (
src/async/mutationHooks/files/useFileUploadOptimisticMutation.ts) importsstorageClient.ts storageClient.tsimportsr2Helpersfromr2Client.ts- Module-level code in
r2Client.tsreadsNEXT_PUBLIC_prefixed environment variables
This means the credentials are exposed in the browser, which is a critical security vulnerability.
Proposed Solution
- Move signed URL generation to API routes: Frontend should not generate signed URLs directly. Instead, it should call API routes that handle this server-side.
- Rename environment variables to remove
NEXT_PUBLIC_prefix:NEXT_PUBLIC_CLOUDFLARE_ACCOUNT_ID→CLOUDFLARE_ACCOUNT_IDNEXT_PUBLIC_CLOUDFLARE_ACCESS_KEY_ID→CLOUDFLARE_ACCESS_KEY_IDNEXT_PUBLIC_CLOUDFLARE_SECRET_ACCESS_KEY→CLOUDFLARE_SECRET_ACCESS_KEY- Keep
NEXT_PUBLIC_CLOUDFLARE_PUBLIC_BUCKET_URLas is (safe to expose)
- Refactor storage abstraction: Ensure
storageClient.tsfrontend exports don't importr2Client.tsdirectly - Update all API routes to handle R2 operations server-side only
Files to Update
src/utils/r2Client.ts- Remove NEXT_PUBLIC_ prefix from credential env varssrc/utils/storageClient.ts- Ensure frontend-safe exports that don't bundle R2 credentialssrc/async/mutationHooks/files/useFileUploadOptimisticMutation.ts- Call API route instead of direct storage operations- Environment variable configuration files
- Server-side type definitions
Related
- PR: feat(storage): ✨ add local Supabase storage support for development #695 (introduced storage abstraction layer)
- Comment: feat(storage): ✨ add local Supabase storage support for development #695 (comment)
Reported by: @navin-moorthy
Assignee: @navin-moorthy
Metadata
Metadata
Assignees
Labels
No labels