Credentials in plain text in JS generated for PWA/Browser?

We are releasing a PWA/mobile web app version using Ionic and have discovered the credentials to our database and payment processor are available for anyone to see in the generated JavaScript. Yikes!!

What are the best practices and proper way to handle this?

Do all the interaction that requires these secrets on servers under your control. The Ionic app should just make HTTP requests to a middleware application. The middleware app talks to the database and payment processor.