GitHub is a great place to pubslish your code; and it is often required to post code there when learning to code. If you are writing a NodeJS app and being required to publish code to GitHub you should be careful of pushing any code that contains secret API keys. These keys could be scraped and used to write apps with your keys.
Don't have time to read all the stuff below. I get it. Add:
export KEY=value
export ANOTHER_KEY=anothervalue
lines to your ~/.bash_profile
using your text editor of choice. Access the KEY
inside your NodeJS app by referring to:
var key = process.env.KEY
var anotherKey = process.env.ANOTHER_KEY
NodeJS has access to the process
object during when executing an app. You may have accessed this object before to get access to the any arguments you passed in when calling your app via process.argv
. It is possible to setup variables in a file named .bash_profile
that will be available on the process
object when you run your NodeJS app. The following notation: process.env.SECRET_KEY
(where SECRET_KEY
is named whatever you like), could be used to access the information you are trying to hide.
To demonstrate setting this up on macOS Terminal.app and Windows via Git Bash, I will walk through creating the .bash_profile
file, adding keys to it, and accessing said keys via JavaScript. If you have a better way or suggestions for making this even more secure, please feel free to comment. Think I'm full of something... let me know! I care so much ;).
I'm not sure... You may or may not already have one of these. Let's find out. The following steps assume you know how to navigate using a terminal prompt.
- Navigate to your home directory:
cd ~
. - Display ALL of it's contents:
ls -a
.
Do you happen to see a .bash_profile
in there? If so, we will edit that to store our keys. If not, let's make one that we will edit.
- Create the file if it doesn't exist already:
touch .bash_profile
Now that you had (or now have) the .bash_profile
, let's open it up. (I should probably do this in a terminal based editor like emacs or vim but I am a sucker for GUI text editors. Sorry internet, I am teaching new coders. With time they can learn whichever command line text editor their mentor tells them is the MUST USE. For now, let's use a GUI app.)
- Do you use Atom.app?
atom .bash_profile
- Maybe just TextEdit...
open .bash_profile
- On Windows and using Git Bash?
explorer .bash_profile
NOTE: Git Bash USED to read the .bashrc
file but NOW reads .bash_profile
. See this GitHub Issue for more info.
Awesome! You can do some very powerful stuff with this file. It get's read and executed every time a new shell is opened. Let's store our keys for a NodeJS app that will access Spotify, Twitter, and OMDB.
- Add the following lines to the
.bash_profile
:
export SPOTIFY_ID=34e84d...
export SPOTIFY_SECRET=5162cd8b...
export OMDB_API_KEY=40e...
export TWITTER_CONSUMER_KEY=SZshdfy3jd...
export TWITTER_CONSUMER_SECRET=AMDdksduA293d...
export TWITTER_ACCESS_TOKEN_KEY=23242-dsf...
export TWITTER_ACCESS_TOKEN_SECRET=wndps23jsd...
- Replace the values of each key with the actual value you obtained from each source.
- Save your work.
It is likely you already have a terminal window open. Type . ~/.bash_profile
in it to get it to execute your newly saved file. This is needed only for your open terminal. Every future terminal session will read this file and have access to these keys.
Now you have access to these keys in your NodeJS app. Let's imagine you are making an app that will need them. It could now contain code that looks like the following:
var twitterKeys = {
consumer_key: process.env.TWITTER_CONSUMER_KEY,
consumer_secret: process.env.TWITTER_CONSUMER_SECRET,
access_token_key: process.env.TWITTER_ACCESS_TOKEN,
access_token_secret: process.env.TWITTER_ACCESS_TOKEN_SECRET
}
Include that in your git repository and feel free to commit it. The .bash_profile
in your home folder won't be included when pushed to GitHub. You're code will execute correctly on your machine. If someone clones the repository to their computer, they just need to add the same values with their keys to their env .bash_profile
. Now your app will run on their machine.
A bit of extra work but it keeps your keys private.
Of course! Head over to your Terminal and do the following.
- Launch NodeJS by typing:
node
- Have NodeJS display your env:
process.env
- Look at one of the keys you stored:
process.env.TWITTER_CONSUMER_KEY
Cool! Always nice to see how many choices there are out there. You may have to use some Google Fu and search the web for how to add env variables for your Terminal of choice. One of my students uses zsh
instead of bash
. He had to put the export KEY=value
inside the file name .zshrc
in his home directory. Everything else worked AOK.
dotenv
is really cool... A bit more setup but works well. Nice because you can move your env variables to the app directory where there needed and not all apps that run will have access to them. Just make sure to add .env
to the .gitignore
. Read more about dotenv
on it's GitGub Repository page.