While developing Rails application we need to keep our project specific sensitive information secure. For example api keys for third parties like stripe, paypal or passwords or configuration data such as the URL. We can set these as environment variables in a separate file. There are a few gems available to achieve this.
Why do we need configuration variables?
While developing our application if we hard code the sensitive data and commit, anyone who can has access to our code can see the sensitive information. To prevent that we can set them as environment variables. Environment variables are set at operating system level in an environment that our application has access to.
How to set Enviroment variables in rails:
1. If we set the environment variable in our .bashrc file, It will be available to the Rails app.
setting environment variables with lines like:
in rails console or irb, you can access your environment variable:
Note: Too many environment variables for differenct enviroments (testing, production, development) may clutter the bashrc file and will end up very large file to manage.
2. Dotenv Gem
Dotenv gem is available for setting project specific environment variables. You just require a .env file in your app root directory. This file contails all variables. Example:
calling these variables is easy:
Note: dont commit .env file. Git ignore the .env file.
Note: You can also use .env file with foreman gem to manage your environment variables.
3. Figaro gem
Figaro is similar to dotenv, however it keeps environment variables in a YAML file(config/application.yml). It comes with a generator to create application.yml and git-ignore the file.
4. Using built-in secrets.yml
secrets.yml is built-in file in Rails 4.1 and above. You can add secrets in config/secrets.yml. Its similar to figaro application.yml. It already has secret_key_base for your app that prevents session tampering. It doesn,t require any other dependency to load the variable. However keeping secrets in this file is not a good solution.
You can create a YAML file and keep the secrets in the file. Also git-ignore the file. You need to initialize the variables. For that you can create a initializer file will read this YAML file and set the environment variables on application boot-up.
Which is the best solution?
Use bashrc if your variables list is not too long.
Most developer use dotenv or Figaro to manage your app-specific secrets. Setting environment variables file is easy.
If you dont want any gem dependency to setup environment vairbale, you may opt for simple YAML file and load them while boot-up.