Keeping passwords/ api keys safe using expo config values?

#1

This is not really a question, but I’m wondering what is the best approach to keep your passwords/ api keys safe while working on expo app?

I’ve currently pushed one JSON to github repo that contains sensitive data (google oauth client ids, android api keys), and i use this to repo build standalone apps. I’d like to delete this file (and its git history log) from github for obvious security reasons and wanted to know what is the recommended approach here to ‘save’ and ‘use’ this sensitive info using Expo.

For example, heroku recommends to set config variables

$ heroku config:add S3_KEY=8N029N81 S3_SECRET=9s83109d3+583493190

and then reference these values in code using the ENV variable,

AWS::S3::Base.establish_connection!(
:access_key_id => ENV[‘S3_KEY’],
:secret_access_key => ENV[‘S3_SECRET’]
)

I’ve borrowed example from here.

Does expo allow something similar, to set config values and use them in our app? Or what is the best recommended approach here?

2 Likes
#2

It’s a bit hard to make generalizations for this, it depends on is your repo open or private, do you have to share the information with your collaborators or not.

However, secrets do not belong in the repo (that’s why they are called secrets). You can add them to the repo locally and include them in the .gitignore file. Also, https://www.npmjs.com/package/check-for-leaks can help with that.
The definition of what is secret then is up to you.

#3

you should never have secrets inside of your client app, except for dynamic secrets that are specific to the user (eg: auth token) or short-lived for a single request. read more here: https://softwareengineering.stackexchange.com/questions/194045/securely-storing-secret-data-in-a-client-side-web-application

if you’re doing something that requires a secret that’s a good sign that you should push that responsibility to a server so you don’t leak the secret

1 Like
closed #4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.