Security Audit for .env variables / API keys

[edeleastar]

Examine the current approach to API keys:

• .env

Trace the usage of these keys in the application and asses the protection (or otherwise) of same. Propose a more secure approach.

[bonjo7]

If you have and AWS account, one secure approach could be the use of the AWS Parameter Store[1].

On the AWS console under Systems Manager, you should see parameter store, and here you can create a new parameter[2]

You could then use the Javascript AWS SDK in order to get the values for each or all parameter(s)[3]

This should allow for the removal of a .env file, it also allows for one of many admins to be responsible for env var values.

In the param store you could use different paths for different environments, as an example

tutors/dev/PRIVATE_AUTH_GITHUB_ID=xxx
tutors/pre/PRIVATE_AUTH_GITHUB_ID=xxx
tutors/prod/PRIVATE_AUTH_GITHUB_ID=xxx

Based on the environment you could then select the correct path above.

Note: you would still need some sort of env file or at least store your AWS accessKeyId and secretAccessKey on your machine in order to access your AWS instance, or find some other way of access your AWS instance.

[1] https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
[2] https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html
[3] https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ssm/command/GetParameterCommand/