React-native-config: Should I commit the .env file?

Created on 8 Jan 2020  路  6Comments  路  Source: luggit/react-native-config

I've already seen people telling to commit the .env file (for React projects, for example), and to not commit (for servers).

For react-native projects, what's the best practice?

picture davicorreiajr

Most helpful comment

Ignore the .env and create a example file removing only the values.
That way the users will know the variables they need without exposing your secrets.

.env (ignored)

SUPER_SECRET=o2pqB1SNMAqJoYpMZej/cg==

.env.example (committed)

# Copy and rename this file to '.env'
SUPER_SECRET=generate one at https://generate.plus/en/base64
picture DiogoAbu on 24 Jan 2020
👍3

All 6 comments

Do not commit it. Keep it in .gitignore

jpudysz picture jpudysz on 9 Jan 2020

Ignore the .env and create a example file removing only the values.
That way the users will know the variables they need without exposing your secrets.

.env (ignored)

SUPER_SECRET=o2pqB1SNMAqJoYpMZej/cg==

.env.example (committed)

# Copy and rename this file to '.env'
SUPER_SECRET=generate one at https://generate.plus/en/base64
DiogoAbu picture DiogoAbu on 24 Jan 2020
👍3

Keep in mind this module doesn't obfuscate or encrypt secrets for packaging, so do not store sensitive keys in .env. It's basically impossible to prevent users from reverse engineering mobile app secrets, so design your app (and APIs) with that in mind.

So, you can commit it.

fattomhk picture fattomhk on 31 Jan 2020

Keep in mind this module doesn't obfuscate or encrypt secrets for packaging, so do not store sensitive keys in .env. It's basically impossible to prevent users from reverse engineering mobile app secrets, so design your app (and APIs) with that in mind.

So, you can commit it.

But imagine you have the repository public, if you commit it then people can easily access it, of course don't committing will not completely protect it but is better than giving direct access to your envs and api key.

You can commit it but in my opinion that isn't the best approach.

FranciscoSimaoPerez picture FranciscoSimaoPerez on 2 Mar 2020

You should not be storing your API keys in this file in the first place.

habibalamin picture habibalamin on 2 Mar 2020
👍1

Keep in mind this module doesn't obfuscate or encrypt secrets for packaging, so do not store sensitive keys in .env. It's basically impossible to prevent users from reverse engineering mobile app secrets, so design your app (and APIs) with that in mind.

So, you can commit it.

But imagine you have the repository public, if you commit it then people can easily access it, of course don't committing will not completely protect it but is better than giving direct access to your envs and api key.

You can commit it but in my opinion that isn't the best approach.

The point is, the runnable is hosted at client side. If an api key leaking would damage your data or billing account, never put it in an env file or even source code.

For example, a Google map api key, it would damage my billing account if someone got it. So Google would protect you by the api key and whitelisting domain / package / fingerprints

fattomhk picture fattomhk on 3 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

arcollector picture arcollector  路  4Comments
aajkishore picture aajkishore  路  3Comments
jstlaurent picture jstlaurent  路  4Comments
iadcg picture iadcg  路  3Comments
swl367 picture swl367  路  4Comments