I recently submitted a Ruby CLI Portfolio project for the Online Software Engineering curriculum at Flatiron. If you are interesting you can read more here, or go look at the course code on GitHub. The application used the Dark Sky API to retrieve weather forecast and request me to use an API key.
The Problem
The problem was that I had a review assessment and I did not want the reviewer to have to apply for an API key just to review the application. So, while developing I decided to temporarily to hard code the API key into the source code, at least until the review process was complete.
Options
In Ruby, like in most other programming languages, there are a few options to securing API keys:
- Encrypt and store in a file (YML, CSV, etc).
- Encrypt and store in a Database.
- Using attr_encrypted
- Use an ENV file which is used only in development
Since, I was not using a Database in this simple application I rules that option out, and decided to use DOTENV. I had some experience with this technology in React and GatsbyJS projects, so it seemed to be a simple and effective solution.
Dotenv
So, I added the DOTENV gem to implement this security strategy. In the project gemfile I added the following dependency:
spec.add_development_dependency 'dotenv', '~>2.7.5'
ENV File
You will need to create a hidden file in the root of your project named .env. This file will include the API key to use during development. You will want to att this file to your .gitignore file so it does NOT get pushed to your repository.
In the .env file you will create a constant to hold you key:
DSKY_API_KEY=putyourkeyhere
Setup
You need require the gem early in the application bootstrap cycle. In my case, the Request class called the API once. So, I add the following to require the gem:
require 'dotenv'
Dotenv.load('./.env')
Next, where the key was originally hard coded
def self.fetch(location)
coordinate_pts(location)
ForecastIO.configure do |c|
c.api_key = ENV['DSKY_API_KEY']
c.default_params = { time: 600, exclude: 'minutely, hourly' }
end
@forecast = ForecastIO.forecast(@lat, @lon)
end
Notice the use of `ENV['DSKY_API_KEY'] in place of the original API key.
So, that is pretty much it ... it works 💣 💥
Extra Security
For an extra security measure, I revoke my Dark Sky account so the API key that was in my commit hisoptry would be inactive.
Hope this tutorial helps you and leave a commit of hit me up on Twitter.
Top comments (2)
In addition to using environment variables I can recommend the tool github.com/dotenv-linter/dotenv-li... - it’s a lightning-fast linter for .env files.
Maybe it would be useful for you.
Broken link with trailing characters.
Rather: github.com/dotenv-linter/dotenv-li...