One thing I see people get wrong all the time when encrypting API keys is that they do not use the right id. They will typically use their app name or something like that, and their secrets will not be decrypted properly.
The other hard-to-use aspect of this is that secret.decrypt will simply fail if the id used to encrypt the key doesn't match that of the manifest; instead, it should return None, so that developers can handle this in their code more gracefully and show the right kind of error screen if the key was encrypted inappropriately.
Another idea could be that the user never even passes the id; the command should look it up from the local manifest so that a developer cannot do it wrong.
Lastly, there ought to be some way for developers to test this before submitting PRs. It is frustrating for developers to submit a PR and see their app fail to render because they messed up something in secret.decrypt. Can pixlet check be enhanced to somehow determine if secret.decrypt is being used, and if so, see what id was used to encrypt the secret? If we can't do that locally, can the build/test pipeline check for this in some way?
One thing I see people get wrong all the time when encrypting API keys is that they do not use the right
id
. They will typically use their app name or something like that, and their secrets will not be decrypted properly.The other hard-to-use aspect of this is that
secret.decrypt
will simply fail if theid
used to encrypt the key doesn't match that of the manifest; instead, it should returnNone
, so that developers can handle this in their code more gracefully and show the right kind of error screen if the key was encrypted inappropriately.Another idea could be that the user never even passes the
id
; the command should look it up from the local manifest so that a developer cannot do it wrong.Lastly, there ought to be some way for developers to test this before submitting PRs. It is frustrating for developers to submit a PR and see their app fail to render because they messed up something in
secret.decrypt
. Canpixlet check
be enhanced to somehow determine ifsecret.decrypt
is being used, and if so, see whatid
was used to encrypt the secret? If we can't do that locally, can the build/test pipeline check for this in some way?