owenvoke
commented
4 years ago I'd recommend not embedding keys inside a PHAR file, because they can be extracted as they are not encrypted. 👍 They are usually compressed (using Gzip, etc.) or signed (using SHA256, etc.), but as far as I know Box doesn't support encrypted storage.
You are correct that the env() helper in a config file will bundle the value when running a build. 👍
Personally I tend to have a command such as <my-app> register <token> that saves the API key to ~/.config/<my-app>/config.yml (or JSON). The Laravel Spark installer has a good example of doing this.
And then have a fallback to an env variable (e.g. MY_API_KEY) if that config value doesn't exist. That way you can set the MY_API_KEY value in your .env when developing.
paulhennell
Is there a recommended way to safely work with & include API keys for open-source laravel-zero applications?
Reading the docs it seems if I can make an .ENV with API_KEY tokens, then reference those in the app like laravel. Running build locally will then make a .phar which will work using my keys bundled inside, but anyone wanting to run / build from source would need to provide their own keys in their .env file?
A) Is this correct? B) Is it safe to distribute a phar with keys inside like this or can they be extracted?
Apologies for the possibly basic question, but I want to be clear on this before I make a mistake!