Protecting API Credentials via the Dotenv Rails Gem
Install and configure the dotenv gem to protect the application API credentials and update the gitignore file to follow Rails best practices.
Guide Tasks
  • Read Tutorial
  • Watch Guide Video
Video locked
This video is viewable to users with a Bottega Bootcamp license
APPLY NOWLEARN MORE

When it comes to API credentials, it's absolutely important to secure your login data. Let me give you an example of why this is important.

Last year, I had a junior developer who was working with me on a project and he pushed up a file containing my AWS credentials to a public repository. Within two hours, I got a call from Amazon to tell me that I've incurred almost $18,000 in two hours on my AWS account. This happens because hackers have scripts on sites like github that constantly look for such accidental uploads of AWS credentials. To avoid paying hefty amounts due to hackers using your account, make sure you secure your credentials always.

Now, going back to our Twilio site, log into it if you already have an account. Otherwise, create a free account. When you log in, you'll be taken to this page.

large

You can see a link to view your API credentials on the right hand top corner of the page. Click on this to get your credentials. Also, feel free to browse through the site and add a phone number if you don't already have one.

Now, we are going to protect these credentials with a gem called dotenv-rails. Copy this code to your gemfile:

# Gemfile

gem 'dotenv-rails' , :groups => [:development, :test]

Next, run bundle on your console, and this will install the dotenv-rails library.

Then, create a file called .env and place it at the root of your application. This is where you'll put all your credentials. Before going any further, put this .env file in .gitignore file as this will ensure that your .env file is not uploaded to github. The gitignore file is automatically created by github and it gives you the option to avoid uploading certain files.
This is how the gitignore file should look after you add /.env:

# See https://help.github.com/articles/ignoring-files for more about ignoring files.
#
# If you find yourself ignoring temporary files generated by your text editor
# or operating system, you probably want to add a global ignore instead:
#   git config --global core.excludesfile '~/.gitignore_global'

# Ignore bundler config.
/.bundle

# Ignore all logfiles and tempfiles.
/log/*
!/log/.keep
/tmp
/.env

To verify that this is working, run git status and this will show that we have made changes to the gitignore, gemfile and gemfile.lock files, but it won't show any information about the .env file, and this is exactly what we want.

Now, open your .env file and add your Twilio credentials like this:

TWILIO_ACCOUNT_SID=YOURACCOUNTSID
TWILIO_AUTH_TOKEN=YOURAUTHTOKEN
TWILIO_PHONE_NUMBER=+1YOURPHONE

You can also have different names for these variables. But, make sure your phone number is correct. It should start with "+1" if you're in the US, and your respective country code if you're elsewhere. Also, this number should be the one associated with your Twilio account.

You can test this on your rails console. Type ENV followed by any variable and it should return the value, just like this:

medium

If you run into any problems, it could possibly be due to something called Spring. If you open your Gemfile, you'll see a gem called Spring in the development group.

Essentially, this gem helps your development environment to load and perform faster, but sometimes it can also cause ENV variables to not appear. So, if you have any problem, stop spring with the command spring stop, and this should solve your problem.

Resources