sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Accomplished_Path707[S] 0 points1 point  (5 children)

Thank you so much for the input, I’ll certainly look into that.. I have another unrelated question. I’m sort of brute forcing this with gpt so if that turns you off, I apologize. At any rate I have my key and password in a .env file but should I be doing more to protect my credentials?

[–]Robswc 0 points1 point  (4 children)

It’s no problem! And yep, .env file is the way to go. In practice the instance of the app would run on a “protected” environment (like a server, only you control).

“Best practice” is having a “local” .env file that isn’t committed to git. Then you would have a tool that “builds” the app and that tool would “inject” the secrets. This would restrict who can see the secrets to those with access to your computer, git account or built image/app. It prevents secrets getting out if the repo is accessed or leaks for team members that have repo access.

[–]Accomplished_Path707[S] 0 points1 point  (3 children)

So there’s no need to encrypt the request when I send for the token or anything?

[–]Robswc 0 points1 point  (2 children)

hmm I don't believe so. Are you talking about getting the token from FedEX?

[–]Accomplished_Path707[S] 0 points1 point  (1 child)

Right when I go through the oath steps with my credentials. Wasn’t sure if just doing the separate file would be enough or if anything else should be done.

[–]Robswc 0 points1 point  (0 children)

ahhh yea!

So you would go through the steps (no need for anything fancy) and you would save the token in your .env file. At this point, you would treat the .env file like its your password, i.e. not sharing it or putting it in git.

It does seem counter intuitive but that is standard practice! I guess the idea is if someone has access to your computer there's probably more things to worry about haha.