Reputation: 43
keep http authentication private in a public github repo?
I have a public Github repo for an app that I'd like to add authentication to. I plan to use basic http authentication, but this would require that I store the username and password in the configuration file (or similar), which is public.
This would mean that anyone could find the username and password in the public configuration file.
Is there a way to keep authentication secure (i.e., private) without creating a completely private repo?
Or perhaps a way to bypass Github during a Heroku push so that the live (Heroku) environment receives the authentication credentials without having to retrieve them from the public Github repo?
EDIT: Thanks for the responses. They may very well solve my problem but unfortunately they're a bit outside of my skill level. I think my best option is to study more before I mess around with authentication and environment variables. Thanks again!
Upvotes: 1
Views: 438
Answers (2)
Reputation: 17323
The canonical way to do this sort of thing is to place the credentials into either environment variables or an external file. I find environment variables easiest, especially with Heroku.
Here's an example of basic auth in a controller that uses credentials from environment variables (adapted from Railscast #82:
class SomeController < ApplicationController
before_filter :authenticate
protected
def authenticate
authenticate_or_request_with_http_basic do |username, password|
username == ENV['MYAPP_USERNAME'] && password == ENV['MYAPP_PASSWORD']
end
end
end
Then you can set the env vars in your dev environment, in a shell startup file if you like. Here's a bash/zsh-style example:
export MYAPP_USERNAME=admin
export MYAPP_PASSWORD=foobar
To configure Heroku:
heroku config:set MYAPP_USERNAME=admin MYAPP_PASSWORD=foobar
Upvotes: 2
Reputation: 710
Heroku actually has a solution to things like this, you can use config vars. In Terminal or CMD you can add your config variables by running:
heroku config:add USERNAME=johndoe
heroku config:add PASSWORD=password
and so on, then you can access the variables in your app using:
ENV['USERNAME']
ENV['PASSWORD']
Heroku Configuration Variables
This is by far the most secure way of achieving what you want and is safe for public use.
Upvotes: 4
Related Questions
- Hiding my sensitive information (e.g. password) from github
- Hide credentials in a public repo, which is being used to deploy live
- How to hide password in git repository?
- Github Authentication API in Rails
- Basic authentication in Github api with http request in Ruby?
- can I have a password in config/application.rb if I upload to a public github repository?
- Heroku as a private git repository
- Simple Ruby authentication for the Github API v3
- Put a Rails app in public git, keep private details private
- Authenticate user through GitHub API using Ruby?