2

I'm a bit of a newbie, but already running apps with Meteor.js. Since I'm now working with API keys I'm finally realizing that security is a thing, and so I placed my keys in a settings.json, and am instructed not to commit, or to .gitignore the file. But despite reading the documentation, this all seems very counter-intuitive. If I need the variables to make my HTTP requests, then how can my app possibly function without adding my keys, in some form, to the repo? I know the answer is "it can," but how? (in general terms, I don't need a Meteor specialist yet) .

Typing this question out makes me feel pretty ignorant for the stage I'm at, but the docs out there for some reason are not clarifying this for me.

Joe Riezner
  • 61
  • 6

1 Answers1

3

You can generate the file with sensitive information on git checkout.

That is called a smudge script, part of a content filter driver, using using .gitattributes declaration.

enter image description here (image from "Customizing Git - Git Attributes", from "Pro Git book")

That 'smudge' script( that you have to write) would need to:

  • fetch the right key (from a source outside the repo, that way no risk to add and push by mistake)
  • generate the settings.json, using a tracked manifest template settings.json.tpl with placeholder value in it to replace.

That means:

  • the template settings.json.tpl is added to the git repo
  • the generate file settings.json is declared in the .gitignore file and never versioned.
Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250