问题
I'm creating an application I wish to open-source in the coming weeks. The source code is on Github and Heroku autodeploys the code when there is a new commit if it passes the Travis CI tests.
In this application, I've several API keys that I managed to keep out of the open source repository by using env variables in my heroku dynos.
For the Google server-to-server API, however, I must have a .p12 file. In php, the following will authenticate my client:
$client = new Google_Client();
$client->setApplicationName("Client_Calendar");
$service = new Google_Service_Calendar($client);
$key = file_get_contents('myKey.p12');
var_dump($key);
$cred = new Google_Auth_AssertionCredentials(
'xxx@gserviceaccount.com',
array('https://www.googleapis.com/auth/calendar'),
$key
);
$client->setAssertionCredentials($cred);
if ($client->getAuth()->isAccessTokenExpired()) {
$client->getAuth()->refreshTokenWithAssertion($cred);
}
...
$event = $service->events->insert($calendarId, $event, $sendNotifications);
At first, I thought I could extract the content of the $key variable and insert it in another heroku environment variable but the content is encrypted.
So, here's the question: How do you protect your .p12 key from being stolen in an open source repository?
PS: I simply create Google Calendar events and send notifications to the attendees; if you you know a way to do that without using .p12 file, I am all ears.
回答1:
Don't commit it. Seriously, it's that easy. You were on the right track with heroku config variables. In fact even from posting it here you're probably going to want to request a new key.
There's a suggestion to store whole config files in other places that may need credentials that you can store. S3 is a great place for that kind of thing. S3 has an amazing PHP component, too, for accessing S3 buckets.
来源:https://stackoverflow.com/questions/35137838/how-to-protect-google-api-key-in-an-open-source-github-heroku-application