Describe the bug:
The premium-embedding-token
license key is visible to users.
The key can be copied and entered on any installations, and the owners of the key will have to pay users.
At the same time, there is no way to find out where the key was used or block the use of the key by hostnames and IP addresses.
To reproduce:
The key can be seen in the responses of the API endpoint /api/session/properties
in the browser.
This endpoint is executed when any public Metabase page is opened (see the screenshot below).
- Open any public Metabase page, open the Developer's Tools in the browser, and the Network tab.
- In the response body for the
/api/session/properties
endpoint, find thepremium-embedding-token
.
Expected behavior:
- The
premium-embedding-token
key is returned encrypted. - Restriction of key usage by hostnames and IP addresses.
- It is possible to see the IP addresses and hostnames where the key was used.
Currently, it is possible to hide the key in the /admin/settings/license
interface by using Environment variables, but it doesn't affect the /api/session/properties
endpoint.
This is probably the main bug that can be fixed promptly.