如何在开源(Github + Heroku)应用程序中保护Google API密钥 [英] How to protect Google API Key in an open-source (Github + Heroku) application

问题描述

我正在创建一个应用程序，希望在未来几周内将其开源.源代码位于Github上，如果有新的提交通过了Travis CI测试，则Heroku会自动部署该代码.

I'm creating an application I wish to open-source in the coming weeks. The source code is on Github and Heroku autodeploys the code when there is a new commit if it passes the Travis CI tests.

在此应用程序中，我通过使用heroku dynos中的env变量，设法将几个API密钥排除在了开放源代码存储库之外.

In this application, I've several API keys that I managed to keep out of the open source repository by using env variables in my heroku dynos.

但是，对于Google服务器到服务器的API，我必须有一个 .p12 文件.在php中，以下内容将验证我的客户端:

For the Google server-to-server API, however, I must have a .p12 file. In php, the following will authenticate my client:

$client = new Google_Client();
$client->setApplicationName("Client_Calendar");
$service = new Google_Service_Calendar($client);

$key = file_get_contents('myKey.p12');
var_dump($key);

$cred = new Google_Auth_AssertionCredentials(
  'xxx@gserviceaccount.com',
  array('https://www.googleapis.com/auth/calendar'),
  $key
);

$client->setAssertionCredentials($cred);
if ($client->getAuth()->isAccessTokenExpired()) {
  $client->getAuth()->refreshTokenWithAssertion($cred);
}

...

$event = $service->events->insert($calendarId, $event, $sendNotifications);

起初，我以为我可以提取 $ key 变量的内容并将其插入到另一个heroku环境变量中，但是内容已加密.

At first, I thought I could extract the content of the $key variable and insert it in another heroku environment variable but the content is encrypted.

因此，这是一个问题:如何保护您的 .p12 密钥不被盗到开源存储库中?

So, here's the question: How do you protect your .p12 key from being stolen in an open source repository?

PS:我只是创建Google日历活动并将通知发送给参与者；如果您知道一种无需使用 .p12 文件即可做到这一点的方法，那么我无所不用其极.

PS: I simply create Google Calendar events and send notifications to the attendees; if you you know a way to do that without using .p12 file, I am all ears.

推荐答案

不要提交.说真的，就是这么简单.您使用 heroku配置变量走上了正确的轨道.实际上，即使将其发布到这里，您也可能会想要请求一个新密钥.

Don't commit it. Seriously, it's that easy. You were on the right track with heroku config variables. In fact even from posting it here you're probably going to want to request a new key.

建议将整个配置文件存储在其他可能需要存储凭据的位置.S3是执行此类操作的好地方.S3也具有一个很棒的PHP组件，用于访问S3存储桶.

There's a suggestion to store whole config files in other places that may need credentials that you can store. S3 is a great place for that kind of thing. S3 has an amazing PHP component, too, for accessing S3 buckets.

这篇关于如何在开源(Github + Heroku)应用程序中保护Google API密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！