Hacker News new | comments | ask | show | jobs | submit login
Show HN: I built an open source event-management system (github.com)
175 points by iyanuashiri 8 months ago | hide | past | web | favorite | 31 comments

Looks like you committed a .env file previously with some semi-private details contained within it, plus you’ve hardcoded some Cloudinary API credentials. You may want to rotate them before they’re abused by someone.

Edit: oh and some database credentials & getstream.io api credentials

made a little tool to catch these things https://github.com/zricethezav/gitleaks. working on a CI version of it right now as well. gotta protect those credentials.

edit: ci version here - https://github.com/zricethezav/gitleaks-ci. work in progress, trying to add readme and instructions tonight. Also if anyone is interested in making gitleaks-ci into a paid github app... hmu

This is very cool! I built something very similar about a year back [0] -- yours looks like it supports some things that mine doesn't but that I've been wanting to add, such as providing the commit hash of the offending commit, which isn't something mine does due to the git diff parsing package I'm using.

[0]: https://github.com/ezekg/git-hound

If anyone wants to keep secrets in a repo, git-crypt is your friend:


BlackBox is also great for this purpose:


Albeit I havent made any effort to try to fix it - its a bit hard to compile on Windows.

Thanks. Checking it out

Old commits are still showing the credentials. Recommend following this guide to erase your .env from all commits.


It's too late now in any case. Removing them is cute, but in terms of security credentials can only be rotated now. Removing them doesn't help when someone has already pulled that history previously.

You should still do it for future references

Founder of Stream here. I recommend that you rotate your API credentials. It's easy to do that in the dashboard.

Thank you for this. I will do that ASAP

Just a heads up (since I work at getstream.io) that you can easily and quickly rotate the Stream app key/secret via the dashboard.

Feel free to contact our support or myself directly - dwight@getstream.io - if you need a hand.

Do you have no process ready to rotate a user's exposed credentials? It's what I would expect from any service provider once they become aware of an exposure.

Isn't this exactly what he explained? The user has a easy toggle on their dashboard to rotate credentials - and if he needs a hand with it, contact their support for some help.

I think the parents question was why they wait for the customer to do something instead of blocking/rotating the compromised credentials once they became aware of their existence.

E.g. I remember reading that Amazon even scans Github for AWS credentials proactively now, since this happened all the time.

Obviously they don't want to break their customer's production system without asking.

True. It should be in the TOS that exposed api keys are subject to being revoked to prevent abuse. At least for certain services, and certain types of tokens.

Minor bug report:

Edit your profile.

Upload a non-image file.

Enjoy the backtrace.

(Only discovered because uploading an image seems to be mandatory..)

Only after signup too :|

Attention! Do not sign up!

Everyone's information is public on there with autoincrementing ID's. I am not sure if this is intended, but I didn't realize my information would be public.

Would like a public test account to play around with it. Don't feel like signing up.

Great stuff, Iyanu. You just need to perfect the UI.

I suggest the OP watch this as an example of improving UI, "Refactoring UI: Bad About":


Django is a great tool for stuff like this. Well done.

Looks good; Needs refined UI

Maybe it's wise to split the project into two: the backend API (service) and the frontend UI / UX?

This way, if you're ultimately only interested in the service you're not dragging around the UI stuff (even if you're not using it).


Why on earth is this on front page?

Because someone submitted it to HN, and then the HN community found it interesting enough to vote it up.

Because people can show their side projects here. You might be really advanced and not impressed, that's fine. There's always that set of folks who are never impressed. I wish to see more Show HN. I like to see more folks building and less talking.

I'm not saying people should not show projects or doesn't belong here. I really like "Show HN" myself, but why did this particular project made to HN front page is what I don't understand.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact