Remove api keys #175
Description
The recaptcha API keys are still in plaintext in the code:
https://github.com/jvperrin/hkn-rails/blob/master/config/initializers/recaptcha.rb
It appears this was committed in
Fixing this will involve moving this to the rails secrets storage: https://guides.rubyonrails.org/security.html#environmental-security
Github has recommended practices at https://help.github.com/en/articles/removing-sensitive-data-from-a-repository.
Following a rewrite of the git history to remove the commits with the recaptcha api keys, we should also rotate them. @jvperrin is this doable in the Google Admin console?
- Merge Remove secrets #188 to remove api secrets
- Rotate api key
I'm opting not to remove this from the history: the first commit to add these in plaintext was 0115bbe, over 8 years ago.
Specifically, the relevant commits are:
Removing these commits would require rewriting nearly the entire history of the repo. Rotating the key and loading from secrets.yml should be sufficient.
This issue is blocking making the repo public (#182).