Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle JSON key from env variables #110

Open
sofianegargouri opened this issue Dec 8, 2022 · 5 comments
Open

Handle JSON key from env variables #110

sofianegargouri opened this issue Dec 8, 2022 · 5 comments
Assignees
@sabman

Comments

@sofianegargouri
Copy link

Some hosting services like Scalingo or Heroku only allow env variables to handle secrets.

Is there a way to directly pass either a base64 to FCM or even the JSON (both could be passed as an env variable), or the required informations if necessary ?
@m-caboche
Copy link

Same question here!

@sabman sabman self-assigned this Dec 12, 2022
@sofianegargouri
Copy link
Author

sofianegargouri commented Dec 16, 2022
edited

As a workaround, I did this:

class FcmClient < FCM
  def initialize
    super(ENV.fetch('FCM_API_TOKEN', nil), credentials_file_path, ENV.fetch('FCM_PROJECT_ID', nil))
  end

  private

  def credentials_file_path
    file = Tempfile.new('FCM_CREDENTIALS')
    file.write(Base64.decode64(ENV.fetch('FCM_CREDENTIALS', nil)))
    file.rewind
    file.close
    file.path
  end
end

You'll have to convert your file to Base64 and save it as FCM_CREDENTIALS

@m-caboche
Copy link

I like the idea of using Tempfiles. Although not technically encrypted on disk, it at least does make it less trivial to locate the credentials file.

However, I don't see why you still use a file (FCM_CREDENTIALS in your case) to store the actual credentials. Wouldn't it be safer to directly encrypt all the content of the FCM_CREDENTIALS file in your ENV? Having it base64 encoded in nice for sure, but not much safer.

Thanks for the idea anyways! I'll look into it.

@sofianegargouri
Copy link
Author

Well, I'd prefer to, but actually you're supposed to provide a file path to FCM for it to work, not the actual value of the file (which is the requested feature here)

@m-caboche
Copy link

Yes, exactly. Maybe I explained myself poorly. What I meant was:

You could store the contents of the FCM_CREDENTIALS file in an ENV variable, then read that variable (in your code), and use it to create a Tempfile. Then you use that tempfile's path for the fcm gem.

That way, you at least avoid having an unencrypted file that is static on disk (the FCM_CREDENTIALS file in your suggested workaround). Instead, the only files that you actually have on disk are Tempfiles, which are arguably less easy to locate.

But in any case, since the gem expects a path to an unencrypted file on disk, that file has to exist for at least the duration of initialization (actually maybe longer looking at the source code). Forcing us to have that file unencrypted on disk makes the gem inherently insecure since it prevents us from using any encryption on the data we need to provide the gem with (the FCM_CREDENTIALS file).

So I think what we need really is a PR that would fix the issue, or enable an additional, secure way to provide the credentials to the fcm gem (for backward-compatibility).

@esilvert esilvert mentioned this issue Mar 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sabman sabman

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sabman @sofianegargouri @m-caboche