+1 vote
33 views
by (163k points)

I want to use the Bee Template API inside my Visualforce page. So, this is the code I used:

    //Visualforce Page
    <apex:page showHeader="false"
           controller="TemplateMakerClass">
  
    <apex:form >
        
        <apex:pageBlock rendered="true"> 
            <div id="bee-plugin-container" style="overflow:auto; padding:5px;">
            </div>
        </apex:pageBlock>

    </apex:form>
    
    <apex:includeScript value="https://app-rsrc.getbee.io/plugin/BeePlugin.js"/>
    <apex:includeScript value="https://johnresig.com/files/htmlparser.js"/>

    <script type="text/javascript">

    //Rest of the code

    request(
        'POST',
        'https://auth.getbee.io/apiauth',
        'grant_type=password&client_id={!JSENCODE(clientId)}&client_secret={!JSENCODE(clientSecret)}',
        'application/x-www-form-urlencoded',
        function (token) {
          BeePlugin.create(token, beeConfig, function (beePluginInstance) {
            bee = beePluginInstance;
            request(
              'GET',
              '{!$Resource.TemplateOne}',
              null,
              null,
              function (template) {
                  bee.start(template);
              });
          });
        });
        
    </script>

    <!--Rest of the code-->

</apex:page>

This is the code to initialize the Bee Template API. The value of clientId and clientSecret are stored as Custom Metadata Types and are retrieved in the controller apex class:

//visualforce controller apex class
global with sharing class TemplateMakerClass {
    
    public String clientId {get;set;}
    public String clientSecret {get;set;}
    
    public TemplateMakerClass() {
        clientId = PropertiesClass.getBeeClientId();
        clientSecret = PropertiesClass.getBeeClientSecret();
    } 

    //Rest of the code
}

In the PropertiesClass, metadata types are retrieved using SOQL queries. The code works fine. But, the problem I am facing is that, as clientId and clientSecret are used in the JavaScript code, it is exposed in the browser, ie, I can see values of both variables in the page source. Its showing a Information Disclosure Vulnerability issue when I submit app for security review because of this. So, how can I solve this? Is there any way to use the variables inside the JavaScript without exposing to browser?

1 Answer

Welcome to Memory Exceeded, where you can ask questions and receive answers from other members of the community.
...