Topic: Ok to have the Pro token in package.json visible on GitHub?
I'm installing the Pro version using this page: https://mdbootstrap.com/docs/angular/getting-started/migration/, which apparently is the closest thing to installation instructions for an existing project.
After installation my package.json has a reference that includes my github-generated access token: https://git.mdbootstrap.com: "ng-uikit-pro-standard": "git+https://oauth2:MY-TOKEN-HERE@git.mdbootstrap.com/mdb/angular/ng-uikit-pro-standard.git"
I host my application on a public github and build from there using Azure DevOps. Any references on how to hide the token, but still use it for Production builds that need the token on GitHub?
FREE CONSULTATION
Hire our experts to build a dedicated project. We'll analyze your business requirements, for free.
Opened
- ForumUser: Free
- Premium support: No
- Technology: MDB Angular
- MDB Version: 7.4.3
- Device: N/A
- Browser: N/A
- OS: N/A
- Provided sample code: No
- Provided link: Yes
Bartłomiej Malanowski staff commented 5 years ago
You might store your personal token in the .env file and don't share its content public
usnjay free commented 5 years ago
Thanks for the reply. That won't work though, the .env files store required configuration data such as the API URLs and (public) Oauth settings.
Bartłomiej Malanowski staff commented 5 years ago
Does your GitHub repository have to be public? Recently, GitHub announced, they allow creating private projects for free. Here's the reference: https://github.blog/2019-01-07-new-year-new-github/
usnjay free commented 5 years ago
Yes, it will have to be public. Many, if not most, large projects are public these days and accept pull requests.
I think the answer will require build-time variables passed in from the command line. Believe that's possible with VSCode and Azure DevOps, I'm looking into it now. It's a pretty big additional complication though, not sure I would have purchased if I'd realized it in advance.
Can you just accept the licenses being public and basically count on the legal system to keep people honest? Any company that uses your product isn't going to risk building software with an invalid license. A lot of companies use that model.
Mateusz Leciejewski staff commented 5 years ago
Hello,
We understand that corporations rarely risk this type of behavior. However, apart from large companies, MDB includes individual developers and so far we have had a lot of cases of theft of licenses that we had to pursue. Although all these cases have been detected and solved, it costs us some time and at the moment we can not risk this type of move.
Nevertheless, we'll discuss this subject in the team.
Best, Mateusz
usnjay free commented 5 years ago
Thanks, certainly understand that it's a tough problem. Appreciate your responses.