Remove .env file about weg-li HOT 5 CLOSED

Those are valid app credentials for local development.

from weg-li.

I do not understand: These keys are used to enable oauth signup with for example github. These keys are valid for some kind of "testing app" in github, I guess. Which one is it? It should have some kind of public website like other apps. If someone would create a fake weg.li website for some reason, maybe users would not see that they are logging in with the testing app. I think it is never good to publicly share something that is marked as "secret". Even if: Committing a .env file is dangerous imo, because eventually someone will try to debug some production bug and adjust these values in the file. By accident they might then commit the changes and publish them. Having this file under source control is asking for trouble imo. I think it should be deleted and gitignored. Then you can create one locally with this data. Anyone else who wants to work on the logins just needs to create their own apps in github, google, etc. Piece of cake but danger removed. If the file (the environment variables) are not present, just disable the login with the respective services.

from weg-li.

Maybe also https://www.dotenv.org/security/ could be interesting...

from weg-li.

Well, I disagree

from weg-li.

Okay. I accept. I suggest to keep this issue closed then, if that is your decision. As a final remark I would like to highlight the recommendation of the dotenv project against committing .env files. Nevertheless this is not a critical issue as of now and for me the matter can be closed. Since you reopened the issue (and I do not really understand why), I let you the honors to close it again, if you want to.

from weg-li.