Secret env vars break the NextJS build on Netlify

Question

My NextJS build on Netlify is failing because of secret environment variables.

My app interacts with the Spotify API. I need to set secrets for both Spotify and NextAuth.

Those vars were created on Netlify and marked as secret.

My code only references them in several places through variables like the ones below, they are never hard-coded. On my local, those variables are on the .env file and on Netliffy they are set up on the control panel.

    clientId: process.env.SPOTIFY_CLIENT_ID!,
    clientSecret: process.env.SPOTIFY_CLIENT_SECRET!,
    secret: process.env.NEXTAUTH_SECRET,

The errors on the build look like this:

Secrets scanning found 97 instance(s) of secrets in build output or repo code. Secret env var “SPOTIFY_CLIENT_SECRET”'s value detected

I experimented with it and ran the build locally. Then I searched for the value of those keys in the .next folder and found 8 occurrences of the value in 6 files. However I do not know if those files are accessible publicly. These are the files:

/.next/required-server-files.json
/.next/standalone/.next/required-server-files.json
/.next/server/app/api/auth/[...nextauth]/route.js
/.next/standalone/.next/server/app/api/auth/[...nextauth]/route.js
/.next/standalone/.env
/.next/standalone/server.js

So my two questions are:

Can the files above be accessed publicly?
Netlify has documentation about certain variables we can use so these secret variables are ignored. But what is the point of setting them as secret and then ignoring them? Why would I bother setting them as secrets in the first place?`

I want my secret vars to remain secret.

Secret env vars break the NextJS build on Netlify

Answers (1)

Related Questions