I'm currently developing a proxy service called Cloakstream using Cloudflare Workers. Here's the gist: you can input a direct download link into a box, press start, and receive a unique encrypted proxy URL for that link. This way, you can share the download link without giving away the server.
However, to keep the encryption key safe from users, I'm storing it as an environment variable. But when I took a look at the Cloudflare Workers source code, I noticed that the encryption key was still clearly visible in plain text. Any idea why this is happening?
Here's the relevant code i see in my cloudflare worker while doing inspect element(i changed the actual key and yes the project is called cloakstream):
const encryptedPath = await encryptData(url, 'V7Od3oY$1WJ0')
const cloakstreamUrl = location.origin + '/cloakstream/' + encodeURIComponent(encryptedPath)
but when i look at the script in the worker dashboard i see this:
const password = ENCRYPTION_KEY const encryptedPath = await encryptData(url, password) const cloakstreamUrl = location.origin + '/cloakstream/' + encodeURIComponent(encryptedPath)
so the encryption key shouldn't be shown no? And yes i did make that enviroment variable.
I have tried numerous solutions but none seem to work. I feel like I've hit a roadblock and I don't know what else to do. If anyone could offer some guidance or advice, I would greatly appreciate it. Thank you so much in advance.
Based on your comments in the questions, what you need to do is return the entire encrypted URL to the client, not the encryption key and 'encrypt' on the client.
As soon as your encryption key is present on the client, it is accessible to that client (has to be, if you think about it).
You probably need an API endpoint that a page can hit in order to get a fully encrypted link?