Damage Control
What to do if you accidentally publish your API key
Last week while coding, I came across a small project I had been working on long ago. I decided I wanted to revive the project and continue working on it. The project was in its very early stages and I figured I’d make a repo on Github and push the code up before I added to it.
As soon as I pushed my code up to Github, I received an email from Google Developer Services that said “We have detected a publicly accessible Google API key”. Oh no!! Somewhere in my code, I had a google API key that I had not hidden. And I had just put it up publically on GitHub….
Here are the steps I took to correct my mistake:
1. Delete the API key
This is so important! Unless you want to get billed thousands of dollars because someone stole your API key, delete the key immediately!
My google developer account has my credit card info and so I quickly rushed over to delete the key that I had accidentally published. I’d say the key was public for less than 5 min, and I haven’t seen any crazy charges yet so here's hoping I’m in the clear.
I also deleted the key from the GitHub repo after but since the key was already deleted from my Google account by now the key would have been invalid.
2. Generate a new API key
Now that my old key was discarded, I needed a new key. I went and generated a new key. This time I was sure to put restrictions on the key!
Google allows you to restrict your API keys by the specific APIs, IP addresses, referrer URLs, and/or mobile apps. By protecting the key you can significantly reduce the impacts if your key was to be compromised.
3. Hide the New API Key
I was not going to make the same mistake twice. This time I properly hide the API key in an environment variable before pushing my code up to Github. This way the key would stay a secret.
There are many ways to hide your API key properly. I used the reference below and the blog post explains how to hide your keys in a React or Rails app.
Reference: How to Hide Your API Keys
4. Make a New key for Each App
Phew! I should be in the clear now… Nope! I had made another rookie mistake. I had used the same API key for two apps. I had used the key on my Seattle Parks App, my capstone project for Flatiron, that is now deployed! Now I had a deployed app that was no longer working since the API key was deleted.
Google advises using different keys for each application since this will limit the scope of each key. This also means once one key is deleted you don't have to update your other apps… like I had to do.
Reference: API Key Best Practices
5. Reset Your Environment Variables and Deploy
After creating a new key for my deployed app I needed to reset the API key variables. I had deployed the app using Heroku and Heroku allows you to set your environment variables using the CLI or their website (see reference).
Here is where I ran into a bit of an issue. I could see that my environment variables had all updated and were correct but my app was still not working! I was frantically googling but could not find a solution anywhere.
Then, after using my phone-a-friend lifeline we realized, I forgot to deploy the app again with the new configurations! Silly me! So if you reset your Heroku environment variables and it's not working, check to make sure you have deployed it!
Reference: Setting Environment Variables in Heroku
Moral of the Story
Finally, after all these steps, my API key was safe and all my applications were working as they were before. What a relief! I may have spent half a day of work getting to where I was at the beginning of the day but I learned a very valuable lesson: Don't Trust Your Past Self!
It seems like younger Sara made quite a few mistakes, from not hiding her key to using the same key for multiple apps. Before pushing my old code up to GitHub I should have spent more time checking my work. After all, with time I'm getting better at coding and following best practices and though my past mistakes caused me some grief I’m happy to see my improvements.