Hello FlutterFlow community,
I'm developing an application with FlutterFlow and have encountered a security issue that concerns me. While testing my application, I observed that sensitive authentication information is visible in the browser console. I'd appreciate your guidance on whether this is expected behavior and how to address it.
Problem Details:
When attempting to log in (even with incorrect credentials), I can see the following information in the browser console:
The full API key
A Bearer token
A user session token
This information appears in the HTTP request headers to
/auth/v1/token?grant_type=password.The API key is shown in the
Apikeyheader and the Bearer token in theAuthorizationheader.
Concerns:
Exposing the API key on the client side seems to be an insecure practice.
The visibility of the user session token in the developer tools could allow for easy extraction and unauthorized use.
While I understand the Supabase project token (anon key) and the user session token serve different purposes, I'm concerned about the overall security implications of their visibility.
Questions:
Is this behavior expected in FlutterFlow when integrated with Supabase?
If not, how can I configure my application to handle these credentials more securely?
Are there any guidelines or best practices in FlutterFlow for handling authentication securely, especially when working with Supabase?
Should I be concerned about the difference between the user session token and the Supabase project token, and their respective visibilities?
Are there any additional security measures I should implement to protect these tokens?
I would greatly appreciate any guidance on how to address these security concerns. My goal is to ensure that my application handles credentials and tokens securely while maintaining the functionality provided by FlutterFlow and Supabase.
Thank you in advance for your help and expertise.