fix(gatsby-plugin-guess-js): don't leak jwt in gatsby-browser (#18434)

* fix(gatsby-plugin-guess-js): don't leak jwt in gatsby-browser

* add tests for jwt removal

* move to preInit to delete pluginOptions which actually works

Author: wardpeet

packages/gatsby-plugin-guess-js/src/__tests__/gatsby-node.js

@@ -0,0 +1,42 @@
+import { onPreInit, onPreBootstrap } from "../gatsby-node"
+import { GuessPlugin } from "guess-webpack"
+
+jest.mock(`guess-webpack`)
+
+describe(`gatsby-plugin-guess-js`, () => {
+  describe(`onPreInit`, () => {
+    it(`should delete jwt pluginOptions`, () => {
+      const pluginOptions = {
+        jwt: `mykeys`,
+      }
+
+      onPreInit({}, pluginOptions)
+
+      expect(pluginOptions).not.toHaveProperty(`jwt`)
+    })
+  })
+
+  describe(`onPreBootstrap`, () => {
+    it(`should still have a jwt token to be used in jwt`, () => {
+      const pluginOptions = {
+        jwt: `mykeys`,
+        // period: {
+        //   start: `2019-10-09`,
+        //   end: `2019-10-10`,
+        // },
+        GAViewID: `1234`,
+      }
+
+      onPreInit({}, pluginOptions)
+      onPreBootstrap({}, pluginOptions)
+
+      expect(GuessPlugin).toHaveBeenNthCalledWith(
+        1,
+        expect.objectContaining({
+          jwt: `mykeys`,
+          GA: `1234`,
+        })
+      )
+    })
+  })
+})

packages/gatsby-plugin-guess-js/src/gatsby-node.js

@@ -1,12 +1,32 @@
 const { GuessPlugin } = require(`guess-webpack`)
 
 let guessPlugin
+let jwt
+
 exports.onPreInit = (_, pluginOptions) => {
-  const { period, jwt, GAViewID, reportProvider } = pluginOptions
-  // delete sensitive information after use
+  jwt = pluginOptions.jwt
+
+  // remove jwt from our config as we don't want it to leak into gatsby-browser.js
   delete pluginOptions.jwt
-  period.startDate = new Date(period.startDate)
-  period.endDate = new Date(period.endDate)
+}
+
+exports.onPreBootstrap = (_, pluginOptions) => {
+  const { GAViewID, reportProvider } = pluginOptions
+  let { period } = pluginOptions
+
+  if (period) {
+    period.startDate = new Date(period.startDate)
+    period.endDate = new Date(period.endDate)
+  } else {
+    const startDate = new Date()
+    // We'll load 1 year of data if no period is being specified
+    startDate.setDate(startDate.getDate() - 365)
+    period = {
+      startDate,
+      endDate: new Date(),
+    }
+  }
+
   guessPlugin = new GuessPlugin({
     // GA view ID.
     GA: GAViewID,
@@ -28,12 +48,7 @@ exports.onPreInit = (_, pluginOptions) => {
 
     // Optional argument. It takes the data for the last year if not
     // specified.
-    period: period
-      ? period
-      : {
-          startDate: new Date(`2018-1-1`),
-          endDate: new Date(),
-        },
+    period,
   })
 }