Ok to have the Pro token in package.json visible on GitHub?


Topic: Ok to have the Pro token in package.json visible on GitHub?

usnjay asked 6 years ago

I'm installing the Pro version using this page: https://mdbootstrap.com/docs/angular/getting-started/migration/, which apparently is the closest thing to installation instructions for an existing project.

After installation my package.json has a reference that includes my github-generated access token: https://git.mdbootstrap.com: "ng-uikit-pro-standard": "git+https://oauth2:MY-TOKEN-HERE@git.mdbootstrap.com/mdb/angular/ng-uikit-pro-standard.git"

I host my application on a public github and build from there using Azure DevOps. Any references on how to hide the token, but still use it for Production builds that need the token on GitHub?


Bartłomiej Malanowski staff pro premium commented 6 years ago

You might store your personal token in the .env file and don't share its content public


usnjay commented 6 years ago

Thanks for the reply. That won't work though, the .env files store required configuration data such as the API URLs and (public) Oauth settings.


Bartłomiej Malanowski staff pro premium commented 6 years ago

Does your GitHub repository have to be public? Recently, GitHub announced, they allow creating private projects for free. Here's the reference: https://github.blog/2019-01-07-new-year-new-github/


usnjay commented 6 years ago

Yes, it will have to be public. Many, if not most, large projects are public these days and accept pull requests.

I think the answer will require build-time variables passed in from the command line. Believe that's possible with VSCode and Azure DevOps, I'm looking into it now. It's a pretty big additional complication though, not sure I would have purchased if I'd realized it in advance.

Can you just accept the licenses being public and basically count on the legal system to keep people honest? Any company that uses your product isn't going to risk building software with an invalid license. A lot of companies use that model.


Mateusz Leciejewski staff pro premium priority commented 6 years ago

Hello,

We understand that corporations rarely risk this type of behavior. However, apart from large companies, MDB includes individual developers and so far we have had a lot of cases of theft of licenses that we had to pursue. Although all these cases have been detected and solved, it costs us some time and at the moment we can not risk this type of move.

Nevertheless, we'll discuss this subject in the team.

Best, Mateusz


usnjay commented 6 years ago

Thanks, certainly understand that it's a tough problem. Appreciate your responses.


Please insert min. 20 characters.

FREE CONSULTATION

Hire our experts to build a dedicated project. We'll analyze your business requirements, for free.

Status

Open

Specification of the issue
  • User: Free
  • Premium support: No
  • Technology: MDB Angular
  • MDB Version: 7.4.3
  • Device: N/A
  • Browser: N/A
  • OS: N/A
  • Provided sample code: No
  • Provided link: Yes