如何隐藏敏感的 Twilio 账户信息（account_sid & auth_token）

Question

I am getting introduced the wonderful world of Twilio + RoR and have so far had a pleasant experience.

However, I've noticed that if I were to make my projects public, I would exposing sensitive Twilio account information:

• Account_sid
• Auth_token
• Twilio phone number

My question is, how can I hide these three pieces of information in a Rails application so that when pushed to GitHub, they remain unaccessible to others?

Here is some sample code below:

class SMS < ApplicationController
  def text
    message = params[:message]
    number = params[:number]
    account_sid = 'xxxxxxxxxxxxHIDExxxxxxxxxxxxxxxxx'
    auth_token = 'yyyyyyyyyyyyyHIDEyyyyyyyyyyyyyy'

    @client = Twilio::REST::Client.new account_sid, auth_token

    @message = @client.account.messages.create({:to => "+1"+"#{number}",
                                   :from => "zzzzHIDEzzzz",
                                   :body => "#{message}"})
    redirect_to '/index'
  end
end

Answer 1

The answer is to not publish that information to GitHub in the first place.

When I worked with Twilio applications, I used a localsettings.py (Python, but should be the same for Ruby) file holding the sensitive information that I downloaded and distributed out-of-band.

A user-friendly interface could be a setup script to download this file from a server credentials.

Alternatively, if you must check it into github, encrypt it symmetrically with something like gnupg and decrypt it on your host machine.

In all these cases, you have to be careful not to accidentally check it in to git. Adding localsettings.rb to your .gitignore file is a great idea.

(If you've already pushed it to github, see here for how to undo that.)

Answer 2

a bit late my answer but you should use environment variables instead hardcoded strings.

in production you can use some tools like Vault to store it safely. here is a nice article about it https://medium.com/adessoturkey/getting-started-with-hashicorp-vault-658a3e523949