Access Token is publicly accessible when using Nuxt
I just realized that when using Nuxt (version 3 or version 4) and the related prismic libraries (@prismicio/client notably), the access token gets store publicly in the client config, making it accessible to anyone when inspecting the DOM.
It is stored in the window.__NUXT__.config.public.prismic.clientConfig.accessToken object
To compare, some recent websites that I made recently using Next.js do not have any visible access token, only the Nuxt websites do.
I found no mention about this behavior in the docs, and it is highly insecure because it disables all the security aspect of using an access token in the first place.
I’m not sharing a specific URL for obvious reasons. But I hope I’m just doing something wrong and it’s not Prismic having this bug around for a while !
Thanks for reaching out about this, and welcome to our community
Completely understand your worry here. To clear that up, this isn't a security concern in that this token does not give access to any information that isn't already publicly available on your website. This is a read-only token. Unless you have paywalled content, in which case while not a security concern this might circumvent it. I've forwarded this to our resident Nuxt expert, who'll get back to us on this and provide any needed details.
I get that it is a read-only token, but IMO by definition, an access token should remain private.
By letting it be publicly available as it is right now, it results in the exact same behavior as having no access token at all.
In the repository settings, under the “API & Security” section, I would assume it’s been named “Private API” for a reason (even more so under a section that has the “security” keyword in it.
Having the access token visible to anyone savvy enough to look for it in the inspector is the same as setting the API access option as “Public API”
I agree, the impact is not that important unless the content is behind a paywall, but I’m sure this must be the case somewhere. This is mostly a security and documentation clarity concern
