Cloudinary Image API Example


#1

Project URL: https://glitch.com/edit/#!/picture-store

A project to demonstrate Cloudinary API + a simplified accounts system. This is an Express.js project, designed to work well with the Glitch development environment. It includes basic express setup, templating, routing and session support + rudimentary user accounts. It is backed by a simple lowdb json database.

It requires a credentials file containing valid cloudinary account details (see README.md). The app is part of the course material for an introductory web development course:


#2

Hi Eamonn,

great application! Thanks for sharing!

However, I have to alert you that the README suggests an unsafe practice: putting your private credentials in .env.json would make them readable to anyone! The only “safe” place that we suggest for secrets is .env. You might also put files in .data/, and they will be hidden and not remixable by default, but it is not suggested.

If you had your secrets in .env.json after you posted this, someone might have looked and copied them, so we suggest that you rotate your secrets!

If you need more help don’t esitate to ask :slight_smile:


#3

Hi there,

Thanks for the quick response! - I had naively assumed that the .env.json was also hidden. I will move it to the .data folder - which should be ok?

Regards
Eamonn


#4

Hi Eamonn,

yes, things in .data are safe, but are difficult to access: the editor does not show them. .data is mainly intended for private binary files (for example, if you are not already, we suggest you to put your lowdb database in .data too).

We suggest that secrets like credentials are put in .env. I’ve remixed your project and adjusted it. If you like the result, you can incorporate the changes in your project. I’ve changed README.md, .env and models/picture-store.js. The link is: https://glitch.com/edit/#!/beautiful-production


#5

Thanks Again,

yes the database may be better in .data. The app is intended for entry level (1 st year) programming students - so I was keen they could view the lowdb json files as the evolved the app. If the db was in .data it would perhaps have lessened the learning experience as the files would be invisible.

The same was the case with putting the credentials in a json file - I wanted beginners to be able to download and run immediately locally - rather than to have to figure out environment variable etc…

Thanks again for the feedback.


#6

Oh, I see!

thanks for the feedback! We strive to be a good learning platform, so your concerns are really helpful!

Others highlighted the issue of not showing .data, we are evaluating possible solutions but we can’t give you an estimate of when they’ll be available yet. But if this is just an educational project, you can choose to keep the .json files visible, since I don’t think they’ll contain sensitive information.

On the other hand, there is a solution for the .env file: you can use the npm package named dotenv, which loads the environment variables from the .env file. We already do it in Glitch, but you can add it to your project to make sure it will keep working even if you run the same code outside of Glitch :slight_smile:

Thanks again!