Skeleton

Appearance

Configure your app

Configure application

Depending on the third-party services you need you will have to do the following:

  • Generate a secret to secure your authentication, use one generated by the Feathers CLI
  • Create a Firebase app in the Firebase Console
    • retrieve the google-services.json to be stored as a secret file in the cordova directory
    • create an Android app in your Firebase app and keep track of secret server key in Parameters > Cloud Messaging
  • Create a GCM application in the AWS SNS console using the previous server key
    • keep track of app ARN
  • Create a new project for your app in the Google Cloud Console
    • Activate the Google+ API on your project
  • Create an OAuth2 ID for a Web App in Google Cloud Console > API & services
    • the redirect URL should match your.domain/auth/google/callback
    • download the json dans keep track of client ID and secret
  • Create an OAuth2 App in GitHub
    • the redirect URL should match your.domain/auth/github/callback
    • download the json dans keep track of client ID and secret
  • Create an AWS user in IAM with access to S3 API (e.g. AmazonS3FullAccess)
    • keep track of access key ID and secret
  • Create a bucket for your app in the Kalisio account
    • keep track of its name
  • Generate private and public vapid keys

TIP

Note: some of the previous accounts/IDs are not app specific and can be share accross multiple apps, e.g. S3, etc.

Create required environment variables in a script file you can source before launching your app:

bash
export APP_SECRET=xxx
export GOOGLE_MAIL_USER=xxx
export GOOGLE_MAIL_PASSWORD=xxx
export VAPID_PUBLIC_KEY=xxx
export VAPID_PRIVATE_KEY=xxx
export VAPID_SUBJECT=xxx
export S3_ACCESS_KEY=xxx
export S3_SECRET_ACCESS_KEY=xxx
export S3_BUCKET=xxx
export GITHUB_CLIENT_ID=xxx
export GITHUB_CLIENT_SECRET=xxx
export GOOGLE_CLIENT_ID=xxx
export GOOGLE_CLIENT_SECRET=xxx

Then, retrieve this variables in config files like this:

js
github: {
  clientID: process.env.GITHUB_CLIENT_ID,
  clientSecret: process.env.GITHUB_CLIENT_SECRET
}

In your local development environment you should use the script to setup all the required secrets. This script should be safe-guarded in a non-public environment.

DANGER

You should never store production passwords or other sensitive production data in a clear form in public source code or config files.

During the CI/CD process the script travis.env.sh automatically generates a temporary environment file, based on the secret environment variables defined in your Travis repository settings or coming from a dedicated private repository (in this case only the access token of this repository needs to be in your Travis settings), to be sourced at the different stages.

WARNING

You shouldn't use production secrets in development and test mode.

To avoid publishing by error production secrets we recommand generating an access key/token for each flavor AND third-party service required by your app using the following naming convention for these tokens: flavor-service. For instance you would have a dev-s3, test-s3 and prod-s3 keys to use the AWS S3 service respectively in your dev, test and production version of your app.

Configure CI/CD

As the application and the CI/CD build relies on third-party services its configuration must include secrets like API keys, passwords, etc. and should not be pushed under source control unless you use private repositories or encryption. The CI/CD section explains how we manage it efficiently in a secure way but this section details some basic mechanisms you can use if you need to store some CI/CD specific data securely.

Secret variables

If some of the sensitive data are stored using environment variables, you have to use encrypted environment variables set either in build file or repository settings.

WARNING

If you'd like to set a value holding multilines or special characters take care to surround it with " so that it will be properly escaped.

Secret file

If you need additional sensitive data stored through files create a secrets.tar containing all secured files and encode it to secrets.tar.enc a using Travis CLI. This file will be decrypted before the build or whenever you need something inside.

Indeed, as mentioned in the documentation, it is not possible to encrypt multiple files and thus requires to create a tar file containing the different secret files and encrypts the archive.

The table below lists for example the required files to publish a mobile app using Cordova:

FileDescription
keystore fileA binary file containing the private key of the certificate you need to sign the Android app
cordova build fileA Json file used by Cordova to sign the generated application. It uses the keystore file
google play service accountA Json file storing the data needed to use the Google Play service account
google services accountA Json file storing the the keys to access the various Google services

You need to be logged into Travis CI before generating the secret file like this:

tar cvf secrets.tar your_keystore.keystore build.json google-play.json google-services.json
travis encrypt-file secrets.tar

MIT Licensed | Copyright © 2017-20xx Kalisio