+1 vote
35 views
by (163k points)

I want to use the Bee Template API inside my Visualforce page. So, this is the code I used:

    //Visualforce Page
    <apex:page showHeader="false"
           controller="TemplateMakerClass">
  
    <apex:form >
        
        <apex:pageBlock rendered="true"> 
            <div id="bee-plugin-container" style="overflow:auto; padding:5px;">
            </div>
        </apex:pageBlock>

    </apex:form>
    
    <apex:includeScript value="https://app-rsrc.getbee.io/plugin/BeePlugin.js"/>
    <apex:includeScript value="https://johnresig.com/files/htmlparser.js"/>

    <script type="text/javascript">

    //Rest of the code

    request(
        'POST',
        'https://auth.getbee.io/apiauth',
        'grant_type=password&client_id={!JSENCODE(clientId)}&client_secret={!JSENCODE(clientSecret)}',
        'application/x-www-form-urlencoded',
        function (token) {
          BeePlugin.create(token, beeConfig, function (beePluginInstance) {
            bee = beePluginInstance;
            request(
              'GET',
              '{!$Resource.TemplateOne}',
              null,
              null,
              function (template) {
                  bee.start(template);
              });
          });
        });
        
    </script>

    <!--Rest of the code-->

</apex:page>

This is the code to initialize the Bee Template API. The value of clientId and clientSecret are stored as Custom Metadata Types and are retrieved in the controller apex class:

//visualforce controller apex class
global with sharing class TemplateMakerClass {
    
    public String clientId {get;set;}
    public String clientSecret {get;set;}
    
    public TemplateMakerClass() {
        clientId = PropertiesClass.getBeeClientId();
        clientSecret = PropertiesClass.getBeeClientSecret();
    } 

    //Rest of the code
}

In the PropertiesClass, metadata types are retrieved using SOQL queries. The code works fine. But, the problem I am facing is that, as clientId and clientSecret are used in the JavaScript code, it is exposed in the browser, ie, I can see values of both variables in the page source. Its showing a Information Disclosure Vulnerability issue when I submit app for security review because of this. So, how can I solve this? Is there any way to use the variables inside the JavaScript without exposing to browser?

1 Answer

Welcome to Memory Exceeded, where you can ask questions and receive answers from other members of the community.
You can donate any amount for Orphans village using following QR Code.
...