Open markdav-is opened 3 years ago
colindavey
commented
3 years ago I believe that the only Airtable key in our repo is the read-only one, which appears in scripts/dal.js. That's the only source-code file that communicates with Airtable. I also searched on the string "key, which should find all keys in the repo because the keys are strings that begin with "key", and the aforementioned one is the only one that turned up.
markdav-is
commented
3 years ago thanks for doing that. It's nice to know that the airtable. key is read-only. You will still want to hide these secrets as a matter of course, but maybe not at this time for this project. Nobody is auditing you, so, no worries. If you want to keep this ticket alive you can, but I'm not too concerned either way.
colindavey
commented
3 years ago BTW, I originally found the read-only key (months ago) in the API code, though it doesn't seem to be there at the moment, so I assume you or someone moved it into a secrets file. It may still be somewhere on github in older commits, not that it matters, since it's read-only.
markdav-is
commented
3 years ago managing secrets a base features of your deployment platform of choice. You are currently publishing your dev branch on netlifty and you could keep secrets there: https://dev.to/thisdotmedia/build-your-backend-with-netlify-functions-in-20-minutes-2gc4 mvp-studio uses K8s https://kubernetes.io/docs/concepts/configuration/secret/ this is typicially tied in with your build process.
please scan your code looking for any secrets that could allow folks to compromise airtable or any other data source. We have one read-only account API key that we use for the API. Beyond that no one should be using any personal api keys or other secrets. Secrets should never be checked into the repo on github or deployed as part of the app via javascript.
you might have to research how best to store secrets for your server platform of choice. mvp-studio and netlify bith have ways to manage secrets. managing secrets is a big part of developing and deploying software, I encourage everyone to take the time to research this topic and work together to find solutions.