Story Time: API Key in Repo

In my previous article, Best Lessons Learned to Date, I brought up the importance of keeping your secrets (#7) and a time that I published one of my API keys to GitHub. This is that story.

The Story

In Fall 2022, I was working on a project for CSC 4610 - Advanced Topics in Web Development that I called PokéTCG Card Manager. Because part of the premise was displaying cards and information about them, I decided it would be best to use an API instead of storing all of that information myself. Anyway... as I was implementing some of the basic API interactions, I stupidly put my API key directly into one of the views (in this commit) thus violating a few best practices in Laravel that I've since learned—I shouldn't have been doing an API call there to begin with—and later (in this commit) moved my new key to an env.

Moral of the Story

First, always ensure that you have an environment file (i.e.: .env) set up to store all of your sensitive information. You should never be putting information like API keys or login credentials in any other file. Here is a good Medium article I found talking more about .env files.

Second, always ensure that you have set up your version control systems to ignore the environment file (i.e.: putting .env in your .gitignore file). This will prevent the version control system from publishing that file.

Third, I was lucky. I was lucky to make this mistake and learn this lesson with a key that was fairly inconsequential when API key insecurity is estimated to costs organizations between $41 and $75 billion annually (source). But at least that also means we're definitely not alone in making this mistakes.

Conclusion

Thanks for reading this edition, and I apologize if it's a little short or sloppy. As I explained in this post, the article I was planning on publishing this week apparently didn't save so I had to write this one relatively last minute.

Have you ever pushed a secret to the internet? I'd love to hear your stories too!