It’s project week!
This means I have been spending my available time working on my Sinatra application. User sessions are one of the requirements. It involves enabling sessions and assigning a secret key or word to that session.
Which had me thinking, what is the purpose of a secret word if it can be seen in a public Github repository?
I heard of environmental variables and wanted to see if that would work here. I found several references to hiding sensitive information or API keys but none that fit in the context of my project. With trial, error, and help from the Flatiron community, I figured out a way to hide sensitive information using environmental variables and the dotenv Ruby gem.
This post outlines how to set up environmental variables and some common gotchas that you may run into.
I have written these directions in the context of the Sinatra project that is part of the Flatiron School Software Engineering course. The principles can work for other setups but may require revisions. If you are a Flatiron student working on this project, I highly recommend using the Corneal framework.
- In your project repo’s,
environment.rb( this is located within the
/configdirectory if you are using Corneal) add the following:
I added mine after
ActiveRecord::Base.establish_connectionalthough you may be able to place it elsewhere within the file.
- In the root directory of your project, if you do not already have them, create a
Within the console, a new file can be created by entering
touchfollowed by the name of the file.
.env.Any files or directories listed within
.gitignoreare now not being tracked by Git. Changes to the
.gitignoreshould be tracked, committed and pushed to your remote repo. Your
.envshould not be tracked, committed or pushed to a remote repo.
You can now use the
.env file to keep API keys, session secrets and more. To do that, assign a key and it’s value using this syntax:
NAME_OF_KEY="This is the value of NAME_OF_KEY"
In your project files, reference that value by using
.env is not tracked or pushed to your remote repo, your code will only contain the reference to the value instead of the value it’s self.
I ran into several issues with my app not loading after starting the server. Installing the dotenv with
gem install dotenv did not seem to work, but manually adding it to the
bundle install has been run and there are still unexpected results, double-check value names and where they are being called. For example,
ENV["NAME_OF_KEY"] may need to be escaped if it is part of a string or within a
Is anything safe?
If you have previously committed or pushed sensitive information to a repo, consider it stolen. Update any passwords or generate new API keys as soon as possible. Sensitive information can be removed from Github, and previous commits can be reverted but that information may exist in a forked repo on someone else’s computer. Even if a repo is private, that information still exists on a server somewhere. If someone gained access to that server who shouldn’t (hello data breaches), they will have access to that information.
I am not trying to scare you. Just to think about what information you are posting on the web.