I know that there options like
heroku config:set
But the config vars will still appears in the UI for heroku dashboard, visible to anyone who have access.
Let's say I only want one person (i.e. the owner) to set and see this variable to store a secret, is it possible?
Related
I am using laravel to build an app in BigCommerce. I am able to get access token but I need to store that for future requests. What is the best possible way to store the app data for BigCommerce?
I've got this working by creating a DB schema in Laravel where in there are tables like stores, users, app_settings.
Whenever the user installs an app, I am storing an access token and other information like store hash in stores table and user details in users table.
Whenever the app is loaded I could get the store and user information via verify signed request payload. Using this I am able to configure my app settings for the user and store those in app settings table.
So when I create a Webhook for the store, I could get the store hash from response as producer key and accordingly I can find the access token for the store using store hash in stores table.
If you're git ignoring your config.json or .env files, you could store these there. However after speaking with one of our Developer Advocates, I wanted to pass along some best practice advice. :) You may want to consider using a secrets manager for option #1 in your decision here. A secrets manager meaning a tool to safely store these variables like Secrets in Github or Key Vault in Azure.
Also, this resource may be helpful to review for your use case. https://www.codementor.io/#ccornutt/keeping-credentials-secure-in-php-kvcbrk55z
I want to make an http request from bot composer but one thing to pass while making http request needs to be kept a secret. So I want to fetch that value from key vault. Can someone tell how to integrate bot composer with key vault.
I'll assume you are using Azure to run the bot, so I'll answer with that in mind. Otherwise let me know and I can expand the answer.
Take the secret from the settings of the bot. It's just like how you access turn.activity.text, but using settings scope instead of the turn scope. So: settings.apiSecret.
Local Env
Now in development, local environment, you can just put the secret in the settings file.
In Azure
When you deploy to your azure app service, you can use Key Vault References in the Configuration blade. Remember you need to give the app service Secret Get permission to that Key Vault.
This is the easiest way since you don't need to write code to query KeyVault via the API.
From DevOps to Azure
There's a way to get the secret in the pipeline, but I believe this is not something you need in this scenario, you just want to set the variable in the App Service. So in the App Service Deployment task, under Application and Configuration settings -> App Settings: you can add the same thing you'd put in the Configuration blade in the azure portal.
So you can add to the textbox: -apiSecret #Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/) or click on the button with the elipsis on the right and enter it on the form
I am new to laravel passport and i am figuring out how laravel passport works
Question 1
Why save the personal access client id and secret in .env according to the docs here? if the id and secret is created by executing this command php artisan passport:client --personal and stored in the database
Question 2
According to docs, it is said to save it in .env file. which application is it saved in? the passport application or the frontend javascript application. I have 2 different projects one is the laravel passport(backend) and the other is the nuxtjs(frontend)
Answer 1
You should never hardcode secrets; that is one of the most basic security best practices. The reason behind that is that when you push your code into any remote(usually Github), you let anybody see that secret.
Even if your repository is private, you may not want all members to have access to it or if you decide to make it public you won't want to worry about secrets being leaked. So it's best to not include them in the code.
More about your oAuth secret key here.
Answer 2
It is not loaded to any application by default. What you're doing is just saving the information to a file called .env. You then have to configure one of your applications to load environmental variables from it, probably using a library(how laravel does it, how you can load .env files in nuxt.js.
In your case, the Nuxt app does not need to have access to that secret so there is no need to load it there.
Note that you will have to use .gitignore or an equivelant to your source-control system in order to prevent the .env file from being uploaded to a remote and avoid the problems of answer 1.
I am trying to point my Google Domains domain name to Heroku, but am having a hard time. I previously had the domain forwarded to point to another website, but I have now followed these instructions to point it to my Heroku app.
The domain in question is www.lizbayardelle.com. The Heroku app I want it to is https://liz-bayardelle.herokuapp.com/. If I type heroku open in Terminal this is what comes up. However, if you go to the domain and the heroku app, the domain still shows the other website (to which it was initially forwarded), not the Heroku app.
Here are my Google Domains settings:
If you want it to point to liz-bayardelle.herokuapp.com, use that.
You've used www.liz-bayardelle.herokuapp.com. Visiting that URL displays Heroku's "no such app" page.
It turned out that the domain name was still "claimed" by the other Heroku app, so I had to log in to the one which had been forwarded on the Heroku console and delete the domain name. After I did this it could be added with heroku domains:add www.lizbayardelle.com and heroku domains:add lizbayardelle.com.
Currently I have an app which gives my users a custom subdomain.
neat.coolapp.com
However, I want my users to be able to CNAME their personal domain to that website.
ex. hey.neat.com -> neat.coolapp.com
Is this possible on heroku?
Thanks in advance for any insight.
You'll need to add whatever domain the customer wants to use to your application so the correct application on Heroku responds - you could do this either manually (via the heroku control panel) or use the heroku gem within your application to add the domain to your application via some kind of control panel if the customer is able to add their own domains.
In regards to cname's - I would suggest setting up something like proxy.yourwebsite.com as a CNAME to yourapp.heroku.com and then you get your customers to cname their domain to proxy.yourwebsite.com in their DNS config.
When you sign up for Heroku you will get a subdomain like
asdf.heroku.com
If you have a domain like mywebsite.com you can cname mywebsite.com to asdf.heroku.com and you will need to add mywebsite.com to Heroku's custom domain command.
From there I'm not sure, if you wanted to add mywebsite2.com without having to add it using the custom domain command you can try to cname it to mywebsite.com, if you have two domains you can try it out.