FR: ParseEnv support for sensitive API/sign keys

aelvan / Imager-Craft

This plugin has been DEPRECATED. Check out Imager X instead.

MIT License

342 stars 69 forks source link

FR: ParseEnv support for sensitive API/sign keys #230

Closed jamesmacwhite closed 5 years ago

jamesmacwhite commented 5 years ago

I'm currently referencing the Imgix API and sign key with getenv() in config/imager.php, however this isn't ideal and not recommended for the best security practices.

https://docs.craftcms.com/v3/extend/environmental-settings.html

It would be nice if Imager would support being able specify these values through the special Craft environment syntax of $SECRET_ENV_VAR.

Something like:

'imgixApiKey' => '$IMGIX_API_KEY',
 'imgixConfig' => [
   'default' => [
       'domains' => ['domain.imgix.net'],
       'useHttps' => true,
    'signKey' => '$IMGIX_SIGN_TOKEN',
        'sourceIsWebProxy' => false,
        'useCloudSourcePath' => true,
    'shardStrategy' => 'cycle',
     getExternalImageDimensions' => true,
         ....
    ]
]

aelvan commented 5 years ago

Where did you read that the use of getenv() is not recommended? The use of the special $<SECRET_ENV_VAR> is necessary if a plugin has a control panel settings interface, to make sure that those values aren't parsed and stored in the DB or project config. But Imager doesn't have control panel settings.

The only thing that happens in the Craft::parseEnv method, is that the $ is matched, and getenv() is run on the variable name. The only difference I can think of is if the config files are actually compiled at some point and stored in a compiled state somewhere - but I find that highly unlikely.

Then again, I've been known to be wrong, so let me know where you got the recommendation from. :)

jamesmacwhite commented 5 years ago

Thanks for your response! I think I might have misinterpreted some guidelines somewhere! I think, because with Craft 3.1 and the project.yaml, using getenv() can expose secret keys and such in plain text unless using the $ENV_VAR syntax but as far as I know Imager doesn't write any such info like this. If it did in the future then maybe it might be a problem. That's I think where I'm getting a bit paranoid.

Environment variables while are generally secure, there are some concepts where super sensitive keys are stored in something like secrets.json, which can be passed to Craft as environment variables, but their storage in production is in an encrypted file, rather than plain text and aren't seen to PHP info if you were to do something like phpinfo();

However, if getenv() is generally fine for settings not stored in the DB, then that's fine with me.

aelvan commented 5 years ago

Yeah, Imager doesn't store any settings in the DB or project config, so it doesn't matter.

I'll probably start using Craft::parseEnv at some point, just for consistency since I already parse alias' for some settings. But since it requires 3.1, I want to hold off as long as possible so I don't need to bump the requirements.