I recently made one of my projects, a chatroom made in reactjs, open source...
what I forgot was that I had stored the firebase config key in the code itself from the beginning of the project instead of using a local environment variable to store it.
I can remove the key bit and commit on top but how do I remove it from all the previous commits as well, I would like to keep my commit history.
GitHub has an article exactly for this topic: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.
They suggest using https://rtyley.github.io/bfg-repo-cleaner/ to clean the files.
I suggest you create a file containing the secret key and then use
java -jar bfg.jar --replace-text passwords.txt
If you have your repository on a remote server, like GitHub, you can push the changes using
git push --force
Once a secret key has been published, it will need to be considered compromised. The best course of action is to remove the key from the repository but also invalidate it in Firebase and generate a new key.
If it is a straight line, it's rather simple to do.
First step If the revision you want to modify is the first one:
git rebase --root -i
If it's not the first one:
git rebase -i revision-where-the-creds-were-added~# make sure to use the pigtail
Then continue like this either way:
# set the first revision to edit or e
# leave everything else with pick
# save and exit
# rebase will start and will stop right after the revision you want to modify is applied
# do what is necessary to remove the creds
git add the-files-that-were-modified
git commit --amend
git rebase --continue
And you are done.
