I want to push some codes to my GitHub Repository. These codes are in different languages like Javascript, Java, Python etc. Some of those codes contain some private API key that I don't want to publish.
Is there any way to hide the keys automatically.? Should I remove it from my code manually.?
There are many projects that I want to push to GitHub. So, manual removal is not a good option.
You should consider using .env files and read the keys from the environmental variables. How to do so depends on the language and tools you use (for node.js, php, etc.).
You can exclude .env file from commits by adding .env to the .gitignore. You can also upload an example configuration .env.example with dummy data or blanks to show the schema your application requires.
Any time you have files with sensitive data like
config.yml
you MUST NOT commit them to your repository. I'll show you an example.
Suppose you have a yaml file with some username and password:
# app/config/credentials.yml
credentials:
username: foo
password: bar
If you want to hide the foo and the bar values, remove this file from your repository, but add a distribution file that aims to maintain username and password fields, but without any real values:
# app/config/credentials.yml.dist
credentials:
username: ~
password: ~
During installation you can get this file by copying app/config/credentials.yml.dist to app/config/credentials.yml.
Also, remember to add app/config/credentials.yml to your .gitignore file.
Its the same with api keys:
# app/config/config.yml
config:
credentials:
username: foo
password: bar
api_stuffs:
api_foo: fooooo
api_secret: baaaaar
api_token: tooooken
This works well for configuration files, and is a good pattern that saves you every time you need to share the structure of a configuration but not sensitive data. Init files, configurations and so on.
Having your API key in the code is probably a bad idea anyway. It means that anyone else that wants to use your code will have to edit the code and rebuild it.
The textbook solution for such usecases is to move the credentials to some configuration file, and add clear documentation in the README.md file about how the configuration file's structure and location. You could also add an entry for it in your gitignore file to prevent yourself (and anyone else) from pushing your private information to GitHub by mistake.
You can add enviornment variables in your server to hide your API keys. All popular programming languages have default methods to acess the enviornment variables.
All the above answers are nice but i think as a beginner, documentation is difficult. Thus i am summarising everything with pictures in this solution
Step 0: write npm i dotenv -- save in terminal to install package for env file.
Step 1: create a file .env . Note that dont give name to file just create a .env file itself.
Click on the image if doubt in step 1
Step 2:: Now add your api keys in the file like (API_KEY = jkdjkjkl34334342).Click on the image if doubt in step 2
Step 3:: In the js file you are working in just add the below lines of code:
require('dotenv').config();
const apikey= process.env.API_KEY;
Click on the image if doubt in step 3
