KDK

# Configure your app

# Configure application

Depending on the third-party services you need you will have to do the following:

  • Generate a secret to secure your authentication, use one generated by the Feathers CLI
  • Create a Firebase app in the Firebase Console (opens new window)
    • retrieve the google-services.json to be stored as a secret file in the cordova directory
    • create an Android app in your Firebase app and keep track of secret server key in Parameters > Cloud Messaging
  • Create a GCM application in the AWS SNS console (opens new window) using the previous server key
    • keep track of app ARN
  • Create a new project for your app in the Google Cloud Console (opens new window)
    • Activate the Google+ API on your project
  • Create an OAuth2 ID for a Web App in Google Cloud Console (opens new window) > API & services
    • the redirect URL should match your.domain/auth/google/callback
    • download the json dans keep track of client ID and secret
  • Create an OAuth2 App in GitHub (opens new window)
    • the redirect URL should match your.domain/auth/github/callback
    • download the json dans keep track of client ID and secret
  • Create an AWS user in IAM (opens new window) with access to S3 API (e.g. AmazonS3FullAccess)
    • keep track of access key ID and secret
  • Create a bucket for your app in the Kalisio account
    • keep track of its name
  • Create an AWS user in IAM (opens new window) with access to SNS API (e.g. AmazonSNSFullAccess)
    • keep track of access key ID and secret

TIP

Note: some of the previous accounts/IDs are not app specific and can be share accross multiple apps, e.g. S3, SNS, etc.

Create required environment variables in a script file you can source before launching your app:

export APP_SECRET=xxx
export GOOGLE_MAIL_USER=xxx
export GOOGLE_MAIL_PASSWORD=xxx
export SNS_ACCESS_KEY=xxx
export SNS_SECRET_ACCESS_KEY=xxx
export SNS_ANDROID_ARN=xxx
export S3_ACCESS_KEY=xxx
export S3_SECRET_ACCESS_KEY=xxx
export S3_BUCKET=xxx
export GITHUB_CLIENT_ID=xxx
export GITHUB_CLIENT_SECRET=xxx
export GOOGLE_CLIENT_ID=xxx
export GOOGLE_CLIENT_SECRET=xxx

Then, retrieve this variables in config files like this:

github: {
  clientID: process.env.GITHUB_CLIENT_ID,
  clientSecret: process.env.GITHUB_CLIENT_SECRET
}

In your local development environment you should use the script to setup all the required secrets. This script should be safe-guarded in a non-public environment.

WARNING

You should never store production passwords or other sensitive production data in a clear form in public source code or config files.

During the CI/CD process the script travis.env.sh automatically generates a temporary environment file, based on the secret environment variables defined in your Travis repository settings or coming from a dedicated private repository (in this case only the access token of this repository needs to be in your Travis settings), to be sourced at the different stages.

WARNING

You shouldn't use production secrets in development and test mode.

To avoid publishing by error production secrets we recommand generating an access key/token for each flavor AND third-party service required by your app using the following naming convention for these tokens: flavor-service. For instance you would have a dev-s3, test-s3 and prod-s3 keys to use the AWS S3 service respectively in your dev, test and production version of your app.

# Configure CI/CD

As the application and the CI/CD build relies on third-party services its configuration must include secrets like API keys, passwords, etc. and should not be pushed under source control unless you use private repositories or encryption. The CI/CD section explains how we manage it efficiently in a secure way but this section details some basic mechanisms you can use if you need to store some CI/CD specific data securely.

# Secret variables

If some of the sensitive data are stored using environment variables, you have to use encrypted environment variables (opens new window) set either in build file or repository settings.

WARNING

If you'd like to set a value holding multilines or special characters take care to surround it with " so that it will be properly escaped.

# Secret file

If you need additional sensitive data stored through files (opens new window) create a secrets.tar containing all secured files and encode it to secrets.tar.enc a using Travis CLI. This file will be decrypted before the build or whenever you need something inside.

Indeed, as mentioned in the documentation (opens new window), it is not possible to encrypt multiple files and thus requires to create a tar file containing the different secret files and encrypts the archive.

The table below lists for example the required files to publish a mobile app using Cordova:

File Description
keystore file A binary file containing the private key of the certificate you need to sign the Android app
cordova build file A Json file used by Cordova to sign the generated application. It uses the keystore file
google play service account A Json file storing the data needed to use the Google Play service account
google services account A Json file storing the the keys to access the various Google services

You need to be logged into Travis CI before generating the secret file like this:

tar cvf secrets.tar your_keystore.keystore build.json google-play.json google-services.json
travis encrypt-file secrets.tar

Deploy your app