next-drupal icon indicating copy to clipboard operation
next-drupal copied to clipboard

Published 20 hours ago verified publisher icon chapter-three

Proper way to handle secrets when deploying the site

Open fnick851 opened this issue 2 years ago • 1 comments

For the Next.js project, my understanding is, when running locally (npm run dev), the project looks for a .env.local for its needed secrets for local development. But if it is deployed to a server, running in production mode (next build & next start), does it look for another file (e.g. ".env")? Is this part of Next.js' convention, or unique to "next-drupal" libraries?

For the Drupal site, there is a "/keys" folder to store the public and private key files. When deploying the Drupal site, should those be regenerated, or should they be copied between environments? How to manage those?

In summary, in general what is one of the ideal strategy for managing these secrets?

Thank you!

fnick851 avatar Sep 28 '22 18:09 fnick851

  1. env variables are coming from nextjs. See https://nextjs.org/docs/basic-features/environment-variables#environment-variable-load-order. They should not e tracked on git but you can use secrets (eg when using GitHub) to fill them for each environment.

  2. Keys for simple_oauth should be created for every website and (normally) they should not be tracked on git. Also, they are (normally) generated on the private folders file (or at least on a folder not accessible to the public).

theodorosploumis avatar Oct 10 '22 07:10 theodorosploumis

@fnick851 did you figure this out?

shadcn avatar Oct 14 '22 08:10 shadcn

@shadcn yes I did. Closing.

fnick851 avatar Oct 14 '22 12:10 fnick851