Drop support for application keys (#127)

Application keys are not actually needed for submitting metrics or distributions (or events or logs, in case we ever wind up supporting that), so specifying them risks exposing a potentially more powerful credential for no real reason. When support for them was originally added, this library used a single, globally configured Datadog client, so it made sense to allow configuring it with an app key in case a developer using this library *also* wanted to use that global API client for other things. That's no longer the case (the client is not accessible from outside this library), so there's no reason to continue to support this, which might encourage dangerous use.
dbader · Nov 28, 2024 · 488adc7 · 488adc7
1 parent 8f88c9f
commit 488adc7
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -129,12 +129,13 @@ Where `options` is an object and can contain the following:
       is required to send metrics.
     * Make sure not to confuse this with your _application_ key! For more
       details, see: https://docs.datadoghq.com/account_management/api-app-keys/
-* `appKey`: Sets the Datadog application key. (optional)
-    * It's usually best to keep this in an environment variable. Datadog-metrics
-      looks for the application key in `DATADOG_APP_KEY` by default.
-    * This is different from the API key (see above), which is required. For
-      more about the different between API and application keys, see:
-      https://docs.datadoghq.com/account_management/api-app-keys/
+* `appKey`: ⚠️ Deprecated. This does nothing and will be removed in an upcoming
+    release.
+
+    Sets the Datadog _application_ key. This is not actually needed for sending
+    metrics or distributions, and you probably shouldn’t set it. Do not confuse
+    this with your _API_ key! For more, see:
+    https://docs.datadoghq.com/account_management/api-app-keys/
 * `defaultTags`: Default tags used for all metric reporting. (optional)
     * Set tags that are common to all metrics.
 * `onError`: A function to call when there are asynchronous errors seding
@@ -346,6 +347,7 @@ Contributions are always welcome! For more info on how to contribute or develop
 
     * Buffer metrics using `Map` instead of a plain object.
 
+    * Deprecated the `appKey` option. Application keys (as opposed to API keys) are not actually needed for sending metrics or distributions to the Datadog API. Including it in your configuration adds no benefits, but risks exposing a sensitive credential.
 
     [View diff](https://github.com/dbader/node-datadog-metrics/compare/v0.11.4...main)
 

diff --git a/lib/loggers.js b/lib/loggers.js
@@ -40,7 +40,8 @@ const Distribution = require('./metrics').Distribution;
 /**
  * @typedef {object} BufferedMetricsLoggerOptions
  * @property {string} [apiKey] Datadog API key
- * @property {string} [appKey] Datadog APP key
+ * @property {string} [appKey] DEPRECATED: App keys aren't actually used for
+ *           metrics and are no longer supported.
  * @property {string} [host] Default host for all reported metrics
  * @property {string} [prefix] Default key prefix for all metrics
  * @property {string} [site] Sets the Datadog "site", or server where metrics
@@ -98,7 +99,7 @@ class BufferedMetricsLogger {
         /** @private */
         this.aggregator = opts.aggregator || new Aggregator(opts.defaultTags);
         /** @private @type {ReporterType} */
-        this.reporter = opts.reporter || new DatadogReporter(opts.apiKey, opts.appKey, opts.site);
+        this.reporter = opts.reporter || new DatadogReporter(opts.apiKey, opts.site);
         /** @private */
         this.host = opts.host;
         /** @private */

diff --git a/lib/reporters.js b/lib/reporters.js
@@ -22,12 +22,24 @@ class DatadogReporter {
     /**
      * Create a reporter that sends metrics to Datadog's API.
      * @param {string} [apiKey]
-     * @param {string} [appKey]
+     * @param {string} [appKey] DEPRECATED! This argument does nothing.
      * @param {string} [site]
      */
     constructor(apiKey, appKey, site) {
+        if (appKey) {
+            if (!site && /(datadoghq|ddog-gov)\./.test(appKey)) {
+                site = appKey;
+                appKey = null;
+            } else {
+                logDeprecation(
+                    'The `appKey` option is no longer supported since it is ' +
+                    'not used for submitting metrics, distributions, events, ' +
+                    'or logs.'
+                );
+            }
+        }
+
         apiKey = apiKey || process.env.DATADOG_API_KEY;
-        appKey = appKey || process.env.DATADOG_APP_KEY;
         this.site = site || process.env.DATADOG_SITE || process.env.DATADOG_API_HOST;
 
         if (!apiKey) {
@@ -37,7 +49,6 @@ class DatadogReporter {
         const configuration = datadogApiClient.client.createConfiguration({
             authMethods: {
                 apiKeyAuth: apiKey,
-                appKeyAuth: appKey
             }
         });
         if (this.site) {