colinr

My Gatsby WordPress Lab.

Solved - My mistake...

Gatsby only puts environment variables prefixed GATSBY_ on the client. 

process.env.GATSBY_WORDPRESS_SITE_URL - set in gatsby-cloud - https://some-url.com

The Problem

Attempting to connect the client/Gatsby Frontend to WordPress to experiment with WPGRAPHQL + basic auth.

Everything seems to work on dev@ localhost:8000 && build@ localhost:9000

The URL is set as an ENV var. 

process.env.WORDPRESS_SITE_URL - set in gatsby-cloud - https://some-url.com

Code shows the implementation.

<div className={testWp}>
  <header>
    <span>Test WordPress responding</span>
    /* this doesn't work on gatsby-cloud... BECAUSE... env vars need GATSBY_ prefix
    to be on accessible on frontend */
    <button
      onClick={() =>
        fetch(`${process.env.WORDPRESS_SITE_URL}/graphql`, {
          method: "POST",
          headers: {
            "Content-Type": "application/json",
          },
          body: JSON.stringify({
            query: `
    {
        generalSettings {
            url
            email
        }
    }
`,
          }),
        })
          .then((res) => res.json())
          .then((res) => {
            setResponseToPrint(res.data);
          })
      }
    >
      Test WP
    </button>
  </header>
  <div style={{ overflow: "auto" }}>
    <pre>
      <code>{JSON.stringify(responseToPrint)}</code>
    </pre>
  </div>
</div>

...however, the fetch requests at the live site look like this...

fetch(
  "https://some-url.com/the-current-location/undefined/graphql",  - not env var
  {
    headers: {
      accept: "*/*",
      "accept-language": "en-GB,en-US;q=0.9,en;q=0.8",
      "cache-control": "no-cache",
      "content-type": "application/json",
      pragma: "no-cache",
      "sec-ch-ua":
        '"Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"',
      "sec-ch-ua-mobile": "?0",
      "sec-fetch-dest": "empty",
      "sec-fetch-mode": "cors",
      "sec-fetch-site": "same-origin",
    },
    referrer: "https://some-url.com/the-current-location",
    referrerPolicy: "same-origin",
    body: '{"query":"\\n        {\\n            generalSettings {\\n                url\\n\\t\\t\\t\\t\\t\\t\\t\\temail\\n            }\\n        }\\n    "}',
    method: "POST",
    mode: "cors",
    credentials: "include",
  }
);

The Solution

In order to fix this, simple prefix all of the environment variables that the client depends on with 

GATSBY_ENV_ON_CLIENT=myclientsidevariable

Words of warning

Any env variables that end up on the client are public and can be read by the user. In this case my WP/graphql url is publically accessible and can be queried by anybody. A potential vector of attack. If this was undesirable, gatsby cloud allows users to create serverless functions. Meaning we could interact with information that the client will never have access to. More on this in the future.