Hello! Long time FCC Chat/Subreddit/Forum lurker, first time poster, (aside from some replies in the subreddit and some responses in chat).
I wanted to discuss the topic of the weather challenge. The issue is that we, of course, do not want to display API keys in CodePen since that is a huge security breach, (aka: Security wha…?)
I did a lot of searching about how we should be approaching this challenge when I found this Github issue started by Quincy. https://github.com/FreeCodeCamp/FreeCodeCamp/issues/3714
Unfortunately that ended up getting closed with no resolution. I decided that I would do some searches on code pen purely to see how others handled the API key issue, (I already have a good idea of how I’m going to code everything so I felt like I wasn’t cheating since all I was doing was searching their code for how they hid their API key or if they had found an API that didn’t require a key). To my amazement, every single pen I viewed had their API key displayed in the code!
I really like Forecast.io so far but I am trying really hard to find a way to hide the API key. One thought I have is that I have a webhost currently so maybe I could stick it in a PHP file, then call that file from my Codepen and the key would be hidden. Unfortunately it’s been a minute since I’ve done any serious PHP coding, so I’m not well-versed in security and I was concerned about how I could do this while ensuring no one could just go to the PHP file and download it or view it somehow. Unfortunately this may resolve it for me if there is such a solution, but I’d really like to see if we could figure out a way to make it secure for anyone who does the challenge. I feel teaching the right security methods from the get-go would prepare future developers much better.
So I bring this back up to attention, especially for those beginners who blindly put the key in their code without worrying of repercussions. What are some of the ways you more senior developers are doing to do this? Should this project be moved from Codepen altogether, and if so what would you recommend doing?
Or should we just go ahead and put the key in there anyway? I know with Forecast.io it will start charging after 1000 calls in a day, so as long as we don’t put any billing in there, our app will just stop working, (I imagine), after the 1000th call for the day.
Thanks for any responses!