[sikan_]

Database credentials in the dashboard..? How?

[laborcontract]

Like my sibling said, probably as a next_public environmental variable.

They probably were doing fetch requests for the dashboard client side. I wonder if they had the entire db url stored as a next_public_db_url. If that’s really irresponsible, and pretty easy to catch in development, at least for the pages router stuff. Maybe a little less so obvious for ssr pages.

I haven’t tried a lot of the new app_router, maybe there’s a lot more mixing of client and server side stuff there. Regardless, you should be auditing your environmental variables!

[dimfeld]

I have no inside info, but it sounds like the key was inadvertently bundled into the client-side code. This could happen when using web frameworks that do both client-side and server-side rendering, if one of your client-side files imports something from a file that is supposed to be server-only, and contains the API key environment variable.

Some frameworks automatically detect this and fail to build if you do it, but apparently not all of them.

[josevalerio]

Probably all the new NextJS / Server Components stuff - mixing and matching server & client code in the same file. Or the classic NEXT_PUBLIC_ env var

[sgarman]

They say so much in their article but never dive into how this happened, seems like the most important part? User error? Configuration error?

[sikan_]

RSC seems like a massive foot gun - given that you can accidentally bundle anything from the server.

[h1fra]

Maybe it was a Supabase or Firebase credentials ?