Include tfignore/gitignore in template to prevent accidental leak of VSTS Marketplace token
Closed this issue · 3 comments
The current project template suggests users to include their VSTS Marketplace token in the settings.json file. Which is scary as hell, as this is an all accounts token and many people are likely to use all scopes because it's easier.
Instead I'd suggest to point to a token.json which is not included in the project and a piece of documentation on how to create it and why not to put it into source control.
Including a tfignore/gitignore that auto-excludes this token.json would prevent accidental inclusion.
I can definitely add the ignore files. The settings.tfx.json file that is in the template currently would most likely be the file to exclude, as it has the publish settings. To be fair, there is nothing explicit in the template that tells users to check in their sensitive information via the settings.tfx.json file. Much like you shouldn't store your connection string information in your app.config but many folks forget to sanitize that file prior to checkin.
I'll leave this open until I get the changes into master. Thanks for the feedback!
Just published 2.6.0, which includes the changes you requested.
I understand that people shouldn't check in sensitive data, you understand it, but I wonder whether all people understand it and, since Visual Studio will auto-pend-add the file after project creation, mistakes are easy to make.
Since some of the settings in the settings.json make sense to be checked in I'd put the API token in a separate file if the project.json understands that. That would make it very explicit.