I was pasting an exposed API key in an HTML Repl, and got popped up with this:
Pressing tab awkwardly placed a process.env call inside of my vanilla JS. I think it’s 'cause it’s not checking the Repl type and simply showing this on any JS file that just had a key pasted.
This is one of those things that will probably only happen once, but still weird that it happened at all, and probably not expected functionality.
It even let me type a name for the Secret in a nice popup, though I don’t know where/if/how it stored it, especially since it’s an HTML, CSS, JS Repl and not a Node.js one.
Happened to me too a while ago, even before I realized that you couldn’t do secrets in vanilla JS. 
Definitely a bug.
This is kind of unrelated but firebase API keys don’t need to be kept private
@boston2029 I think this may be on purpose.
I remember putting some long URL into a HTML or Node repl (can’t remember), and it told me that there was some secret key (the URL said ‘key’) in it, and asked if I wanted to store it in a URL.
I don’t think it is a bug.
It is a bug, because the point of it is to automatically put the secret into replit’s secret storage, which doesn’t exist for html/js/css repls
The point is that it shouldn’t be doing that in an HTML Repl
Oh, why not? 
I usually don’t hide them anyway, and that key I had restricted to just my domains, but still. Why do you say so?
All of the services which can be accessed with that key (auth, firestore, etc) have their own form of authorization. The only thing you can do with access to an auth instance is, well, log yourself in and see your user data which you anyway have. Assuming your firestore rules are secure, the same applies to firestore. You should still only be able to access/modify data you have permission to.
I think the API key is there just to make it slightly harder for people to web scrape a bunch of firestore data or attempt to mass DDOS firebase. (For firestore, it’s easier for firebase to quickly deny a request without an API key than to actually evaluate the rules, reducing the impact of being DDOS’d)
My rules are currently
read: true,
write: true
lol. I’m still in development so once everything gets smooth-rolling I might write some in-depth rules but ye
These are not interchangeable so it’s important to the situation
I’m still able to reproduce this when pasting that same snippet, even with any key. Screenshots:
It pastes it so awkwardly, like it removes the API key from the string, leaving it an empty string, and pastes it on a new line as the Secret. So strange.
And since this is probably intended to actually work on Node.js JavaScript files, then then it still needs to be fixed.
Oh, and I actually pasted just the API key by itself again, and it actually inserted it, but inside of the string. Which would not work anyway.
If only it was possible to create custom boilerplate shortcuts (like !) that could be stored in a Replit file or something.
(Maybe even a snippet backpack like Scratch? )
