Using environment variables in redirect query

Hi there.
I’m wondering if there is a way to use environment variables in a redirect query? I’ve got the following but it’s not working, not sure if it’s even possible:

[[redirects]]
  from = "/auth/login"
  to = "https://todoist.com/oauth/authorize"
  status = 200
  force = true
  query = {client_id="TODOISTCONFIG_CLIENT_ID",scope="TODOISTCONFIG_SCOPE",state="TODOISTCONFIG_STATE"}

Hey @bikingbadger,
Unfortunately, the environment variables aren’t available in the way you’re trying to access them. How do you feel about Netlify Functions? If you have the env vars TODOISTCONFIG_CLIENT_ID, etc. entered in the Netlify UI, you could access them in a Netlify Function and then use them to construct the URL you need. Your function would look something like:

Thanks Jen,
I was thinking of functions in the first place but was running into a bit of wall, probably due to my misunderstanding how it all works. The https://todoist.com/oauth/authorize url opens up a login form so not sure how the function will handle that as the function runs in the on the server whereas I want it to basically forward what with the hidden variables. Not really sure if it will work in this way.

I’m not sure what you’ll need to do then. You may want to contact them on how to avoid exposing those query params when you redirect to their endpoint. Maybe you need to use one of their personal tokens or OAuth token as mentioned here: https://developer.todoist.com/rest/v1/#authorization.

Hey @bikingbadger :wave:t2:

I’m not sure I’m fully tracking your use case / problem here, but perhaps you could spin up a very small Function that just sends down the environment values you’re looking for, then you can hydrate those values into your request to the todoist API before executing it on your client-side JS.

e.g.

return ({
  status: 200,
  body: JSON.stringify({
    clientId: process.env.CLIENT_ID,
    scope: process.env.SCOPE,
    etc..
  })
})

That way you get environment-specific variable values but they’re not directly in your front-end either.

You could still keep your redirect as well if you’re looking to still use the /auth/login endpoint instead of calling out directly to the todoist url.

Food for thought :slight_smile:


Jon

If the point is instead that you don’t want your users to be able to see your sensitive credentials, my solution above clearly misses that point, but I have other concerns about workflow :thinking: Would like to learn more for sure.


Jon

Hi Jon,
Thanks for the interest in my little problem. As you stated in the last post I am trying to hide the sensitive credentials for using the API. I’m sure I’'m just missing something in my understanding of the whole process. The first step is using I send the client_id and secret to https://todoist.com/oauth/authorize which opens a login on the todist side. A user logs in and then todoist re-directs back to a callback URL setup for the app. It comes along with the token that I can then store and use.
According to the documentation this secret is a randomly created value so maybe I will try and create this per request and then save it in localstorage or session to check against. This ping pong is what is confusing me and how to do it without compromising the security of the user or app

Hey @bikingbadger,
Wanted to share this tutorial in case it’s helpful for you (not the Intercom-specific part, but the rest since it sounds like you’re doing an oauth flow):