Is it safe to have cloud name and preset in front end code? Upload question

SantaOMG
SantaOMG Member Posts: 4

I have made an app with the MERN stack. I am using the url endpoint to allow users to upload images to my cloudinary, and then the data from that gets put into a mongodb database which I pull information from. I have the cloud name and preset in my .env file, but .env variables get put into the build folder anyway so it doesn't really make a difference.

To try to remedy this, I tried using the SDK in my backend (nodejs). I installed the cloudinary npm package and configured it, but it gives me the error "ENEONT: No such file or directory" and then it shows the path to my server's folder on my computer.

I don't understand how the upload is supposed to work if it looks for the file in my server folder.

I haven't been able to figure out how to make it work, so I guess I have to use the URL endpoint like I've been doing. That leads me to my question, "is it a good idea to have my cloud name and preset right there in my code?".

I would assume no, since anyone could just use the endpoint to remove all of the images on my cloudinary lol.

Answers

  • tia
    tia Member, Cloudinary Staff Posts: 29

    Hi there,

    Thanks for reaching out.

    Your cloud name is not a sensitive credential, as it actually appears as part of the URL for any asset stored in your Cloudinary account. For example in the following URL generated from the sample image in our demo account, https://res.cloudinary.com/demo/image/upload/sample.jpg, the cloud name is 'demo' and you can see that it appears in the URL.

    You do not need to put your cloud name or upload preset name in your .env file. The only thing that should be in the .env file is your Cloudinary_URL. You can find this API environment variable in your account dashboard. Would you like to make those changes and let us know how it goes?

    You can also share your code with us if you are still having trouble and would like us to take a look. But if you need to share any sensitive information, you should open a support ticket with us directly. You can do that through the following link: https://support.cloudinary.com/hc/en-us/requests/new

    I hope this helps. If you have any questions at all, do not hesitate to ask.

    Kind Regards,

    Tia

  • SantaOMG
    SantaOMG Member Posts: 4

    Hey, Tia.

    Thanks for your response.

    How is it safe when all someone would have to do is send a fetch request to https://api.cloudinary.com/v1_1/${CLOUDINARY_CLOUD_NAME}/upload (or delete, etc) and mess with my cloudinary account?

    The code I am using in my website is:

    await fetch(

            `https://api.cloudinary.com/v1_1/${CLOUDINARY_CLOUD_NAME}/upload`,

            {

              method: "POST",

              body: formData,

            }

          )

            .then((result) =>

              result.json().then((resJSON) => (uploadToMongoBody = resJSON))

            )

            .catch((err) => {

              console.log(err);

            });

    _______

    That's all it takes to upload something to my cloudinary. formData has the image's data, the upload preset and the folder. uploadToMongoBody is an object I use to add to my mongoDB database.