(non-urgent, TODO before production) last.fm api key checked in

[jrheard]

yoooo - in version 8f81ca4 file public/scripts/last.js, i see an api key in those urls. i know this is just test code, but now that that api key is checked in, it's possible for a malicious third party (eg someone running some sort of script that scrapes public github repos looking for api keys) to get that information from your github repo even if you make a commit that deletes those strings.

we talked about something similar for spotify, so you'll remember that the way to fix this is:

1. make a new last.fm app or whatever the terminology is
2. figure out how to store that new app's api key in an environment variable on your computer
3. figure out how to get your code to read the value of that environment variable (you'll probably give it a name like LASTFM_API_KEY or whatever you like)
4. delete the old last.fm app

this is non-urgent, you don't have to do it today or this week or this month, but you'll definitely want to do it before station-manager's eventual launch. just writing it down as a github issue so neither of us forgets!

[jrheard]

alternatively, it's possible that your api key is ok to share publicly and that the only thing that's truly secret is your secret; i don't know how the last.fm api works. if it's fine for your api key to be visible, please go ahead and close this issue!

[JonWash86]

I'm checking this into an env variable, and this has taken on a new dimension: I string together my requests on the non-server js, and I should be using process.env on the node/server side. My next task is to successfully move this request (at least the logic concatenating the request url) to the server.