[RFC] Add react-native-config (forked) dependency

Question

[RFC] Add react-native-config (forked) dependency

ashfurrow opened this issue 4 years ago · comments

Ash Furrow commented 4 years ago

New Dependency

Name: react-native-config (forked, for now)

URL: https://github.com/artsy/react-native-config

Motivation

Currently, Eigen uses cocoapods-keys to store environment configuration for the app (the list of used keys is here). CocoaPods only works for iOS apps, and we are planning in MX-489 to migrate to a cross-platform solution, to support upcoming Android work.

react-native-config is a good solution. However, it lacks one important feature from cocoapods-keys: key obfuscation. Please note that it is impossible to ship a binary to users that guarantees security of the keys, but key obfuscation makes it much more difficult to extract them. Unobfuscated keys are present as plaintext in the app binary, which is not acceptable. We have forked react-native-config and ported the obfuscation code from cocoapods-keys in this PR. Eventually, we'll need to recreate that logic for the Android app too.

A big upside to using react-native-config over cocoapods-keys is that we will migrate to storing local keys in a .env file, just like most other apps at Artsy. This will reduce the overhead for new contributors to the app. We will need to change our beta deploys to write the environment variables to a .env file prior to deploying.

Check List

Have you read over the source code?
Has had a release in the last year, or looks done and stable?
Could you fit this codebase in your head after reading the source?
Is this the stand-out obvious answer to a particular domain problem?
Do you expect your team to be the only people who know about this dependency?
- nope
Is this obviously being used in production by the maintainers? Is it battle-tested?
Does our bundle already include a (transitive) dependency that solves the problem and could we use that
instead?
Do you feel well versed in the domain of this dependency and/or could you maintain it if that needs to become
an option?

Alternatives

We chatted about alternatives in MX Knowledge Share yesterday, and nothing came up.

Adam Butler · Answer 1 · Thu Aug 13 2020 15:24:52 GMT+0800 (China Standard Time)

react-native-config is nice, so def 👍 on that.

~~Are you planning to create a PR with the obfuscation code on the main repo? It would be good not to have to maintain a fork.~~ Ah, just read the PR in the forked repo. Nice!

Pavlos Vinieratos · Answer 2 · Mon Aug 17 2020 20:11:18 GMT+0800 (China Standard Time)

nice touch with the obfuscation.

Ash Furrow · Answer 3 · Thu Aug 20 2020 02:22:18 GMT+0800 (China Standard Time)

Resolution

We decided to adopt the dependency.

Level of Support

1: Overwhelming positive feedback.

Additional Context:

None

Next Steps

Let's merge #3725 and then announce.

Exceptions

None.