Skip to content

docs: JSON credential best practices #1923

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 24, 2025
Merged

docs: JSON credential best practices #1923

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/auth/googleauth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,10 @@ export interface GoogleAuthOptions<T extends AuthClient = JSONClient> {
* Object containing client_email and private_key properties, or the
* external account client options.
* Cannot be used with {@link GoogleAuthOptions.apiKey `apiKey`}.
*
* @remarks
*
* **Important**: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to {@link https://cloud.google.com/docs/authentication/external/externally-sourced-credentials Validate credential configurations from external sources}.
*/
credentials?: JWTInput | ExternalAccountClientOptions;

Expand Down
8 changes: 8 additions & 0 deletions src/auth/jwtclient.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,10 @@ export class JWT extends OAuth2Client implements IdTokenProvider {
/**
* Create a JWT credentials instance using the given input options.
* @param json The input object.
*
* @remarks
*
* **Important**: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to {@link https://cloud.google.com/docs/authentication/external/externally-sourced-credentials Validate credential configurations from external sources}.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this method is going to allow only Service accounts right?

If so we do not need to warn here. Having it doesn't have any downside though

*/
fromJSON(json: JWTInput): void {
if (!json) {
Expand Down Expand Up @@ -333,6 +337,10 @@ export class JWT extends OAuth2Client implements IdTokenProvider {
* Create a JWT credentials instance using the given input stream.
* @param inputStream The input stream.
* @param callback Optional callback.
*
* @remarks
*
* **Important**: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to {@link https://cloud.google.com/docs/authentication/external/externally-sourced-credentials Validate credential configurations from external sources}.
*/
fromStream(inputStream: stream.Readable): Promise<void>;
fromStream(
Expand Down
Loading