@solana/connector 0.1.5 → 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +65 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -610,6 +610,71 @@ const mobile = getDefaultMobileConfig({
|
|
|
610
610
|
|
|
611
611
|
## Security Considerations
|
|
612
612
|
|
|
613
|
+
### RPC API Key Protection
|
|
614
|
+
|
|
615
|
+
If you're using a paid RPC provider (Helius, QuickNode, etc.), avoid exposing your API key client-side. Anyone can grab it from the browser's network tab.
|
|
616
|
+
|
|
617
|
+
**Solution: RPC Proxy Route**
|
|
618
|
+
|
|
619
|
+
Create an API route that proxies RPC requests, keeping the API key server-side:
|
|
620
|
+
|
|
621
|
+
```typescript
|
|
622
|
+
// app/api/rpc/route.ts
|
|
623
|
+
import { NextRequest, NextResponse } from 'next/server';
|
|
624
|
+
|
|
625
|
+
// Server-side only - not exposed to client
|
|
626
|
+
const RPC_URL = process.env.SOLANA_RPC_URL || 'https://api.mainnet-beta.solana.com';
|
|
627
|
+
|
|
628
|
+
export async function POST(request: NextRequest) {
|
|
629
|
+
try {
|
|
630
|
+
const body = await request.json();
|
|
631
|
+
|
|
632
|
+
const response = await fetch(RPC_URL, {
|
|
633
|
+
method: 'POST',
|
|
634
|
+
headers: { 'Content-Type': 'application/json' },
|
|
635
|
+
body: JSON.stringify(body),
|
|
636
|
+
});
|
|
637
|
+
|
|
638
|
+
const data = await response.json();
|
|
639
|
+
return NextResponse.json(data);
|
|
640
|
+
} catch (error) {
|
|
641
|
+
return NextResponse.json({ error: 'RPC request failed' }, { status: 500 });
|
|
642
|
+
}
|
|
643
|
+
}
|
|
644
|
+
```
|
|
645
|
+
|
|
646
|
+
Then configure the connector to use the proxy:
|
|
647
|
+
|
|
648
|
+
```typescript
|
|
649
|
+
'use client';
|
|
650
|
+
|
|
651
|
+
import { getDefaultConfig } from '@solana/connector/headless';
|
|
652
|
+
|
|
653
|
+
// Get origin for absolute URL (Kit requires full URLs)
|
|
654
|
+
const getOrigin = () => {
|
|
655
|
+
if (typeof window !== 'undefined') return window.location.origin;
|
|
656
|
+
return 'http://localhost:3000';
|
|
657
|
+
};
|
|
658
|
+
|
|
659
|
+
const config = getDefaultConfig({
|
|
660
|
+
appName: 'My App',
|
|
661
|
+
clusters: [
|
|
662
|
+
{
|
|
663
|
+
id: 'solana:mainnet' as const,
|
|
664
|
+
label: 'Mainnet',
|
|
665
|
+
name: 'mainnet-beta' as const,
|
|
666
|
+
url: `${getOrigin()}/api/rpc`, // Proxy URL
|
|
667
|
+
},
|
|
668
|
+
// ... other clusters
|
|
669
|
+
],
|
|
670
|
+
});
|
|
671
|
+
```
|
|
672
|
+
|
|
673
|
+
Your `.env` file (no `NEXT_PUBLIC_` prefix):
|
|
674
|
+
```
|
|
675
|
+
SOLANA_RPC_URL=https://mainnet.helius-rpc.com/?api-key=your-key
|
|
676
|
+
```
|
|
677
|
+
|
|
613
678
|
### Token Image Privacy
|
|
614
679
|
|
|
615
680
|
When using `useTokens()` or `useTransactions()`, token metadata (including logo URLs) is fetched from external APIs. By default, these image URLs are returned directly, which means when your users' browsers fetch these images, the image host can see:
|