search

getgrav / grav-plugin-email

Grav Email Plugin
http://getgrav.org
MIT License
37 stars 29 forks source link

Avoid passwords in Git repos by using getenv #87

Closed DCBT closed 3 years ago

DCBT commented 6 years ago

I'm hosting in Heroku, direct from GitHub, and didn't want to expose my SendGrid API key in the repo.

I added a field in the blueprint to allow the user to enter the name of an environmental variable instead of a password:

    mailer.smtp.passwordenvvar:
      type: text
      size: medium
      label: Environmental Variable Name

And altered classes/Email.php to use the environmental variable value if the name was set:

              switch ($mailer) {
                case 'smtp':
                    $transport = \Swift_SmtpTransport::newInstance();

                    $options = $config->get('plugins.email.mailer.smtp');
                    if (!empty($options['server'])) {
                        $transport->setHost($options['server']);
                    }
                    if (!empty($options['port'])) {
                        $transport->setPort($options['port']);
                    }
                    if (!empty($options['encryption']) && $options['encryption'] != 'none') {
                        $transport->setEncryption($options['encryption']);
                    }
                    if (!empty($options['user'])) {
                        $transport->setUsername($options['user']);
                    }

                    if (!empty($options['passwordenvvar'])) {
                        $transport->setPassword(getenv($options['passwordenvvar']));
                    }
                    else if (!empty($options['password'])) {
                        Grav::instance()['log']->critical('password');
                        $transport->setPassword($options['password']);
                    }
                    break;

It's not perfect by any means, but it solved a problem I was having.

rhukster commented 5 years ago

I think this could be done...

ghtmtt commented 5 years ago

+1 I think that with the current configuration there could be really really easy that users will update the user/plugin/config/email.yaml with password and other sensible data. Is there any hashed password available? As for the admin plugin?

torohill commented 4 years ago

This issue is solved with the Dotenv plugin - https://github.com/Ralla/grav-plugin-dotenv/

NicoHood commented 3 years ago

I was also able to solve the issue with the dotenv plugin:

plugins.email.mailer.smtp.password='<password>'

I guess that is the best way to inject the password, isnt it @rhukster ?

rhukster commented 3 years ago

Environment variables are the 'safest' way to handle passwords such as these, but a lot of people simply don't have shell access and probably don't have the expertise to deal with environment variables.

I think the dotenv plugin solves the problem perfectly. I will probably use it myself 👍