How to protect Google API Key in an open-source (Github + Heroku) application

醉酒当歌 提交于 2021-02-09 09:16:04

问题


I'm creating an application I wish to open-source in the coming weeks. The source code is on Github and Heroku autodeploys the code when there is a new commit if it passes the Travis CI tests.

In this application, I've several API keys that I managed to keep out of the open source repository by using env variables in my heroku dynos.

For the Google server-to-server API, however, I must have a .p12 file. In php, the following will authenticate my client:

$client = new Google_Client();
$client->setApplicationName("Client_Calendar");
$service = new Google_Service_Calendar($client);

$key = file_get_contents('myKey.p12');
var_dump($key);

$cred = new Google_Auth_AssertionCredentials(
  'xxx@gserviceaccount.com',
  array('https://www.googleapis.com/auth/calendar'),
  $key
);

$client->setAssertionCredentials($cred);
if ($client->getAuth()->isAccessTokenExpired()) {
  $client->getAuth()->refreshTokenWithAssertion($cred);
}

...

$event = $service->events->insert($calendarId, $event, $sendNotifications);

At first, I thought I could extract the content of the $key variable and insert it in another heroku environment variable but the content is encrypted.

So, here's the question: How do you protect your .p12 key from being stolen in an open source repository?

PS: I simply create Google Calendar events and send notifications to the attendees; if you you know a way to do that without using .p12 file, I am all ears.


回答1:


Don't commit it. Seriously, it's that easy. You were on the right track with heroku config variables. In fact even from posting it here you're probably going to want to request a new key.

There's a suggestion to store whole config files in other places that may need credentials that you can store. S3 is a great place for that kind of thing. S3 has an amazing PHP component, too, for accessing S3 buckets.



来源:https://stackoverflow.com/questions/35137838/how-to-protect-google-api-key-in-an-open-source-github-heroku-application

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!