-2

I'm doing technical test for some company and I created github api token and used in fetch function(headers : Authorization) , because without it I exceeded fetch limit(20-30 calls in minute), now I have to push my project in github and what should I to token? I know that's it's personal, but without it website crashes if user calls fetch more than 20-30 times in minute, what should I do?

        const getPoPularProfile = async () => {
        const api_url = 'https://api.github.com/search/users?q=repos:%3E800+followers:%3E1000&page=1&per_page=10';
        const fetchProfile = await fetch(api_url,{
            headers: {
              Authorization: `token my token ` 
            }
          });
        const profile = await fetchProfile.json();
            setProfiles(profile.items);
    }

so thats code, it gets called every time user types something in search bar, i know github api limit is like thousands in hour, but if you aren't calling fetch in same intervals, its like 10-15 calls per minute, and 20-30 call per minute if using github token, so thats why i am using token and setTimeout function to avoid calling fetch more then 20 times per minute.

        if(searchValue !== ''){              
          setShow(true);
          setSpinner(true);
          const timer = setTimeout(() => {
          getSearchedProfile(searchValue);
        }, 2200);
    
        return () => clearTimeout(timer);
    }

and if won't push token with project and someone clones my code from github, and hosts it, site will crash because for exceeded limits.

Giorgi-Doreuli
  • 1
  • 3
  • 1
    Definitely _don't_ share your token. But without more details we can't give you a very good answer. Please read [answer]. – ChrisGPT was on strike Mar 06 '22 at 22:23
  • @Chris edited post for more information – Giorgi-Doreuli Mar 06 '22 at 22:34
  • you also should look into "debouncing" https://css-tricks.com/debouncing-throttling-explained-examples/ to minimize API requests and maybe don't hit the api at all until you have 5+ chars. When a user is actively typing, you're just making calls that will be thrown away... – Dave Mar 06 '22 at 22:44

1 Answers1

2

Your code should read this key as an environment variable or via a secret's manager (e.g. aws) or similar. It should not be hard-coded.

Other users of the code should get their own key, or a valid key by logging into GitHub. You can offer to communicate the key to them via email as a convenience.

Even if they have a private repo, it is frowned upon to commit the key to the repo.

Finally, the key must only be used on the server-side. If the key is used in public facing client-side webpage, then you've shared it with anyone who cares to take a few clicks and look at the network traffic from that webpage. I hope your code talks to your private API, and that API uses the key to communicate with the 3rd part service.

Dave
  • 7,552
  • 4
  • 22
  • 26