I'm asking this question in the context of a MERN stack app, but I'm sure it's applicable generally as well.
Why must we hide our API keys for databases and other services in our server. If we must abstract it from the code using dotenv or other mechanisms, does this mean that users have a way of looking at our code? Doesn't this mean that users will be able to see our server-side business logic?
I'm very confused about this. :(
The api keys/environment variables usually contains some sensitive information. For example, token secret, db connection info, etc. If you put them into version control directly, those sensitive data may leak to unwanted parties.
Also, by abstracting those variables, we can configure them more easily when we build and run the project. For example, if we want to start up multiple servers using the same code base, but we want each of them to connect to different instances of MongoDB, we can just configure the environment variables instead of making changes to the code base.