Recommended approach for handling config without checking into git

[iwaffles]

Hi everyone, love the project!

I'm curious if there's a pattern for using env vars instead of checking in the config.json file with app keys/secrets?

[simov]

You can load your app secrets dynamically on each request using the state overrides, here are some examples on how to do it. Or maybe query the database once per server instance and cache the secret in-memory.

Another way would be to query the database only once at the beginning and patch your entire Grant instance using the config property.

As for using environment variables I would create an env var containing just the path to the config.json file that can be anywhere on your file system. Or maybe have an env var specifically for the app secret but read it before loading Grant and replace it in your config.json?

Lastly, you can still add your entire configuration into git and into your project as that can be helpful in understanding how your setup works. The secrets can be encrypted and still stored as the secret key of your app in your configuration, but decrypted before use using one of the above methods. Depending on the environment that you use you may even have a fully managed services for that type of stuff like KMS in AWS, Key Vault in Azure and so on. You can even deploy your own, like the HashiCorp Vault for instance.