1

I am a noob at RoR, so forgive me if this is a stupid question.

I am trying to have user subscription form in my simple app.

I basically followed this guide to get it work

http://cheshireoctopus.github.io/blog/2014/01/23/mailchimp-plus-gibbon-plus-rails-create-a-basic-sign-up-form/

My code is working and I can signup with the form, however, I keep getting email from mailchimp telling me that my keep has been compromised. Sometimes I get this email after I try to send some test subscription, othertimes I just get it after I change my api key again.

I wanted to reach out to you to let you know that we had to disable an active API Key in your MailChimp account with the account name MYACCOUNTNAME.

We were able to find your API Key posted publicly, which gives someone full access to your account. Since it's been disabled, we don't recommend re-enabling it. Instead, you'll need to generate a new API Key in your account.

Am I suppose to somehow encrypt my key or something? Btw, my app is on Heroku. So How do I stop my keys from being disabled?

Community
  • 1
  • 1
John
  • 488
  • 4
  • 19
  • Do you host your repository on github, or anywhere publicly available? That might be the issue. – roman-roman Sep 12 '14 at 17:45
  • ah thats right.. I push my code to github.. so my gibbon.rb file with my config is the reason? So I should add it to my gitignore file? – John Sep 12 '14 at 17:48
  • well, if you put it to gitignore, it won't be on production as well, and the production server won't be able to access mailchimp – roman-roman Sep 12 '14 at 17:57

2 Answers2

1

You probably host your code on github, and, as the repository is public, even google robots can index it. Scammers can use your credentials as well.

There is nothing bad hosting repository on github, though. Just use environment variables instead of storing the credentials in the code.

config/initializers/gibbon.rb:

Gibbon::API.api_key = ENV[:api_key]

To set environment variable on heroku:

heroku config:set api_key=<your key>
roman-roman
  • 2,746
  • 19
  • 27
  • I am not quite understanding here. i need to initialize gibbon in gibbon.rb `Gibbon::API.api_key = "MY API KEY" Gibbon::API.timeout = 15 Gibbon::API.throws_exceptions = false` if i dont put the key there,how will gibbon know what the key is? – John Sep 12 '14 at 18:02
  • Well, your mailchimp credentials, stored in `/config/initializers/gibbon.rb`, can be used by a scammer to take control over your mailchimp account and you payment data. – roman-roman Sep 12 '14 at 18:05
  • Ah I see! but now How will I test my setup on my local enviroment? Since my local enviroment wont have access to the enviromental variable hosted on heroku? – John Sep 12 '14 at 18:14
0

Okay I have figured this out.

For production environment(heroku), I followed the solution that roman provided above.

for my local enviroment, I installed Figaro Gem, which basically keeps my api key secret in an application.yml file in the config folder. It works greate.

https://github.com/laserlemon/figaro

here is my gibbon.rb initilizer file incase anyone is wondering

if Rails.env.development?
   Gibbon::API.api_key = ENV["MC_key"]
end

if Rails.env.production?
   Gibbon::API.api_key = ENV[:api_key]
end
Gibbon::API.timeout = 15
Gibbon::API.throws_exceptions = false

Where MC_Key is the variable in my application.yml and :api_key is the ENV in heroku.

hope this helps others!

John
  • 488
  • 4
  • 19