Hide External API Keys

[Davinkjohnson]

Creating an issue to track work and progress.

[Davinkjohnson]

From Amber 7/18:
After extensive research and consultation with Brian, I think that we're ultimately going about this API Key work all wrong. I don't really see a way to remove it from Git entirely which does not require adding the use of a builder like webpack, which would change a lot of people's workflow for no real gain. (I'm also not 100% sure this would work for the dev environment at all.) Moreover, I don't think that's really the appropriate way to restrict use of this key. The appropriate way (as laid out in this article) would be to restrict the URLs that each API key is authorized on.

The one exception here is the use of local development on localhost:5000, which allows much more arbitrary usage than any of the dev/stage/prod apps. My suggestion for this, which I believe is currently viable, would be to:

Remove localhost from the list of permitted URLs for the dev app (should ideally already not be allowed for stage and prod)
Add an additional key to the dev project which is set to permit localhost usage
Send that key out via Box or some other method to developers who need it and have developers update some kind of local-dev/config.js file with the key, with the file itself being in .gitignore to prevent it being committed.

[Davinkjohnson]

@anthonypetersen @we-ai @JoeArmani Any thoughts on Amber's proposed solution for our external keys? (i.e. those keys which are not possible to put in a secret.)

[anthonypetersen]

sounds like a plan to me

[JoeArmani]

I agree this sounds like a good plan for Firebase keys.

[we-ai]

I agree that it's fine to keep Firebase API keys in repos, based on reasons mentioned.
Also, it's doable to hide those keys by removing those config.js files from our repos. Those files can be added back, manually or programmatically, to site files in CGP.

[amber-emmes]

I'm not entirely sure that's the case for the dev environment, which is hosted as a GitHub site. While it's possible to provide environment variables to GitHub, the file built with them would, in my research, still need to be uploaded to the GitHub branch from which the site is built.

[we-ai]

I'm not entirely sure that's the case for the dev environment, which is hosted as a GitHub site. While it's possible to provide environment variables to GitHub, the file built with them would, in my research, still need to be uploaded to the GitHub branch from which the site is built.

Yes, dev site files are in GitHub. Not sure whether they'll be moved to GCP or not.
Stage and prod site files are in GCP, and some files (like config files) can be removed from repos if needed.

[anthonypetersen]

The long term plan is to move dev into a GCP environment

[amber-emmes]

The local dev key work is now done. I'm planning to time revocation of localhost access for the dev key for the next prod release.