where to store admin password in sinatra + heroku app?

Question

I have a small Sinatra app I'm running on Heroku that uses a single admin password, plus a couple API authentication keys.

Where's the best place to store these things? Do I put them in environment variables, and use

heroku config:add ADMIN_PASSWORD=foobar

? Or do I use a config file that contains them, and I simply don't commit the config file?

Answer 1

I stick API keys and that sort of thing in a config yaml, like so

development:
  twitter_api_key: stringstringstring 
  chunky: bacon
production:
  twitter_api_key: gnirtsgnirtsgnirts
  foo: bar

then use Sinatra's builtin set to handle the data.

configure do   
    yaml = YAML.load_file(settings.config + "/config.yaml")[settings.environment.to_s]
    yaml.each_pair do |key, value|
      set(key.to_sym, value)
    end
end 

And I can then access them from the settings object. I'm not sure why you wouldn't commit the config file, though . . . there's no major security risk here, since only those paths that you've explicitly defined can be accessed via the web. I guess the admin password could be stored in the same manner if you don't want to put it in a database, but I would at least encrypt it with a salt.

Just be careful not to step on Sinatra's Configuration settings when defining your own.

EDIT:

I think I just realized why you would prefer not to commit the config file. If you're working on an open source project, you certainly wouldn't want to commit the config file to your open source repo, but you would need to commit the file to Heroku in order for it to work. If this is the case, I'd either:

• Use two separate local repos: one for the open source project, and one for the heroku project. Just set the open source project as an upstream repository in the Heroku project, then you can fetch changes.
• Put both the API keys and encrypted/salted password in a database; MongoHQ offers a free tier to Heroku users as an addon for simple nosql storage using MongoDB.