Discussion on protecting project ID and dataset in Nuxt project with Sanity
9 replies
Last updated: Mar 22, 2022
A
Hello everyone,Today I'm going to publish my first Nuxt project paired with Sanity!
:sanity:šBut I wonder if anyone knows how I can "protect" my project_id and dataset with .env-variables
I've googled but I didn't find something useful, really
:sanity:šBut I wonder if anyone knows how I can "protect" my project_id and dataset with .env-variables
I've googled but I didn't find something useful, really
Mar 22, 2022, 3:15 PM
A
Alright, I just want to make sure that no one can see the project Id, so they can't start publishing content if they add it to their own project that runs on localhost:3000, since that allowed in my CORS-origin.
I might answer my own question, but if I deploy my studio to
mydomain.com/studio and remove localhost:3000 from the CORS, I should be good, right?
I might answer my own question, but if I deploy my studio to
mydomain.com/studio and remove localhost:3000 from the CORS, I should be good, right?
Mar 22, 2022, 3:25 PM
No one can mutate any of your content without either write access or a valid write token. Yes, you could remove localhost:3000 from your CORS origins and things would still work from your deployed domain.
Mar 22, 2022, 3:27 PM
A
Hey Andreas, Andreas here.If I knew your project ID and dataset (and the correct URLs) i could read data from your studio, but not write to it. For that Iād need to be authenticated with a token.
When you use sanity studio you donāt need to write that token because it is magically generated when you login. So without knowing your sanity login I couldnāt do anything to your data even if I had the source code for you project, and I knew your project ID and your dataset
So I would recommend keeping localhost:3000 as CORS, it makes life easier to be able to run studio localhost
š
When you use sanity studio you donāt need to write that token because it is magically generated when you login. So without knowing your sanity login I couldnāt do anything to your data even if I had the source code for you project, and I knew your project ID and your dataset
So I would recommend keeping localhost:3000 as CORS, it makes life easier to be able to run studio localhost
š
Mar 22, 2022, 3:28 PM
A
Ahh, makes sense!Thanks a lot
user A
& user F
šMar 22, 2022, 3:30 PM
Thanks Andreas. Another option (though itās security through obscurity and is not a guarantee) is to run the Studio locally on a non-standard port.
sanity start --port=12345with
<http://localhost:12345>in your CORS origins.
Mar 22, 2022, 3:31 PM
A
Yeah, that's true.I found this when I searched for deploying the studio
https://www.sanity.io/docs/studio-environment-variables But I forgot about the fact that Andreas wrote, that I the user needs to be authenticated with my Sanity account
https://www.sanity.io/docs/studio-environment-variables But I forgot about the fact that Andreas wrote, that I the user needs to be authenticated with my Sanity account
Mar 22, 2022, 3:34 PM
A
So I doubt it would be a problem š
Mar 22, 2022, 3:35 PM
Thereās also the
Let us know how things go.
š
-Hflag on yarn and npm. You could potentially use that to start your local studio on a local IP address. Again, itās security by obscurity, but at this point someone is going to a lot of effort just to read data youāve declared as public.
Let us know how things go.
š
Mar 22, 2022, 3:35 PM
A
Excuse me if this is the wrong place to ask, but I've read through the document to self deploy a studio, but I'm confused,
https://www.sanity.io/docs/deployment
Since I'm using Nuxt, I have a
Do you know how this can be solved?
https://www.sanity.io/docs/deployment
Since I'm using Nuxt, I have a
pagesfolder where all the routes can be found.So my first guess was to add the deployed sanity studio to the
pages/studiofolder, but it gives me a 404.
Do you know how this can be solved?
Mar 22, 2022, 4:11 PM
Sanityā build remarkable experiences at scale
Sanity is a modern headless CMS that treats content as data to power your digital business. Free to get started, and pay-as-you-go on all plans.