Should I hide my facebook app_id and secret_key?

StackOverflow https://stackoverflow.com/questions/15189972

Question

I am done creating my first facebook app in ruby on rails. In my controller I have somethign like

 @oauth = Koala::Facebook::OAuth.new(app_id,secret_id,callback_url) (Replaced with temp values)

I am wondering is it okay to have these values in my controller or should I hide it somewhere else in my app? Assigning them to variables?

What's the right programming habit here?

Was it helpful?

Solution

It really comes down to wanting to avoid recording these values in your version control system.

The approach I usually take is as follows:

Add the following to your config/application.rb, inside the application class definition

# Loads app config from /config/env_vars.yml
require 'yaml'
rails_root = Rails.root || File.dirname(__FILE__) + '/../..'
config = YAML.load_file(rails_root.to_s + '/config/env_vars.yml')
if config.key?(Rails.env) && config[Rails.env].is_a?(Hash)
  config[Rails.env].each do |key, value|
    ENV[key] = value.to_s
  end
end

Create a file in config/ called env_vars.yml, and include the following

development:
  FB_APP_ID: APP_ID_HERE
  FB_APP_SECRET: APP_SECRET_HERE

replacing APP_ID_HERE and APP_SECRET_HERE with your api details. Add as many other values to this file as required (i.e. Twitter keys etc), and repeat for each environment (e.g. if you have different FB apps for dev, staging and production). These can then be referenced by in your controller as ENV['FB_APP_ID'] etc.

If using this approach, you can leave the env_vars.yml out of your VCS, thus meaning that you have not actually committed these values to your repository, while still making them available to your app.

Finally, if you use Heroku, assigning these values as environmental variables is easy to do for each app (i.e. heroku config:set FB_APP_ID=234234324234 - see https://devcenter.heroku.com/articles/config-vars for more details), saving the need to commit these values to the repo before pushing up to Heroku.

N.B. If using Heroku, there are a couple of modifications to the above approach

If excluding env_vars.yml from git, this file will not be available when pushed to Heroku, causing your app to crash on boot. The simplest solution is to modify the code added to config/application.rb as follows:

# Loads app config from /config/env_vars.yml
unless Rails.env == 'production'
  require 'yaml'
  rails_root = Rails.root || File.dirname(__FILE__) + '/../..'
  config = YAML.load_file(rails_root.to_s + "/config/env_vars.yml")
  if config.key?(Rails.env) && config[Rails.env].is_a?(Hash)
    config[Rails.env].each do |key, value|
      ENV[key] = value.to_s
    end
  end
end

By wrapping it in the unless Rails.env == 'production' conditional, it will be skipped if running on production (the default environment for Heroku). If using multiple environments for Heroku (such as staging, uat, production) this could be modified to

unless %w(staging uat production).include?(Rails.env)

Once this has been committed and pushed to Heroku, it will no longer be looking for the env_vars.yml file, leaving you free to set your config variables an an app-by-app basis via the heroku config:set Heroku toolbelt command.

OTHER TIPS

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top