unlockKeys: Open an API key and use it build a connection.
In shelter: Support for Secure API Key Management
unlockKeys R Documentation
Open an API key and use it build a connection.
Description
Opens a set of connections from API keys stored in an encrypted keyring.
If the keyring does not exist, it will ask for password to this keyring to use on
later requests. Next it
will ask for the API keys specified in 'connections'. If an API key does not
work, it will request again. On later executions it will use an open keyring
to retrieve all API_KEYs or for a password if the keyring is currently
locked.
Usage
unlockKeys(
connections,
keyring,
connectFUN = NULL,
envir = NULL,
passwordFUN = .default_pass(),
yaml_tag = "shelter",
max_attempts = 3,
...
)
Arguments
connections
character vector. A list of strings that define the
connections with associated API_KEYs to load into environment. Each
name should correspond to a REDCap project for traceability, but
it can be named anything one desires.
The name in the returned list is this name.
keyring
character(1). Name of keyring.
connectFUN
function or list(function). A function that takes a key and returns a connection.
the function should call 'stop' if the key is invalid in some manner. The
first argument of the function is the API key. The validation of the
key via a connection test is important for the full user interaction
algorithm to work properly. If one wished to just retrieve an API key
and not test the connection this would work 'function(x, ...) x', but
be aware that if the key is invalid it will not query the user as
the validity is not tested.
envir
environment. The target environment for the connections. Defaults to NULL
which returns the keys as a list. Use [globalenv()] to assign in the
global environment. Will accept a number such a '1' for global as well.
passwordFUN
function. Function to get the password for the keyring. Usually defaults 'getPass::getPass'.
On MacOS it will use rstudioapi::askForPassword if available.
yaml_tag
character(1). Only used as an identifier in yaml override files.
Defaults to package name 'shelter'.
max_attempts
numeric(1).
...
Additional arguments passed to 'connectFUN()'.
Details
If one forgets the password to this keyring, or wishes to start over:
'keyring_delete("<NAME_OF_KEY_RING_HERE>")'
IMPORTANT: Make sure that R is set to NEVER save workspace to .RData
as this *is* writing the API_KEY to a local file in clear text because
connection objects contain the unlocked key in memory. One can use the
following in .Rprofile, 'usethis::edit_r_profile()':
newfun <- function (save = "no", status = 0, runLast = TRUE)
.Internal(quit(save, status, runLast))
pkg <- 'base'
oldfun <- 'q'
pkgenv <- as.environment(paste0("package:", pkg))
unlockBinding(oldfun, pkgenv)
utils::assignInNamespace(oldfun, newfun, ns = pkg, envir = pkgenv)
assign(oldfun, newfun, pkgenv)
lockBinding(oldfun, pkgenv)
It will store the provided password in the shell environment.
This can sometimes end up with the password set command appearing in the
console when using RStudio. If one wishes this to not happen and/or
for it to always query for the password this can be done using:
'options(shelter.save.env=FALSE)' to turn off the password saving
behavior for an R session. Note: this will not clear a password
that already exists in a given shell environment.
For production servers where the secrets must be stored in a readable
plain text file, it will search for '../<basename>.yml'. DO NOT USE
this unless one is a sysadmin on a production hardened system,
as this defeats the security and purpose of
a local encrypted file (the point of using this package).
The expected structure of this yaml file is
as follows:
other-config-stuff1: blah blah
shelter:
keys:
intake: THIS_IS_THE_INTAKE_DATABASE_APIKEY
details: THIS_IS_THE_DETAILS_DATABASE_APIKEY
other-config-stuff2: blah blah
other-config-stuff3: blah blah
For production servers the use of ENV variables is also supported. The connection
string is converted to upper case for the search of ENV. If a YAML file
and ENV definitions both exist, the YAML will take precedence.
Value
If 'envir' is NULL returns a list of opened connections. Otherwise
connections are assigned into the specified 'envir'.
Examples
## Not run:
unlockKeys(c(test_conn = 'Testshelter',
sandbox_conn = 'SandboxAPI'),
keyring = '<NAME_OF_KEY_RING_HERE>',
envir = globalenv(),
passwordFUN = function(x, ...) x)
## End(Not run)
shelter documentation built on June 8, 2025, 11:44 a.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
| unlockKeys | R Documentation |
Open an API key and use it build a connection.
Description
Opens a set of connections from API keys stored in an encrypted keyring. If the keyring does not exist, it will ask for password to this keyring to use on later requests. Next it will ask for the API keys specified in 'connections'. If an API key does not work, it will request again. On later executions it will use an open keyring to retrieve all API_KEYs or for a password if the keyring is currently locked.
Usage
unlockKeys(
connections,
keyring,
connectFUN = NULL,
envir = NULL,
passwordFUN = .default_pass(),
yaml_tag = "shelter",
max_attempts = 3,
...
)
Arguments
connections |
character vector. A list of strings that define the connections with associated API_KEYs to load into environment. Each name should correspond to a REDCap project for traceability, but it can be named anything one desires. The name in the returned list is this name. |
keyring |
character(1). Name of keyring. |
connectFUN |
function or list(function). A function that takes a key and returns a connection. the function should call 'stop' if the key is invalid in some manner. The first argument of the function is the API key. The validation of the key via a connection test is important for the full user interaction algorithm to work properly. If one wished to just retrieve an API key and not test the connection this would work 'function(x, ...) x', but be aware that if the key is invalid it will not query the user as the validity is not tested. |
envir |
environment. The target environment for the connections. Defaults to NULL which returns the keys as a list. Use [globalenv()] to assign in the global environment. Will accept a number such a '1' for global as well. |
passwordFUN |
function. Function to get the password for the keyring. Usually defaults 'getPass::getPass'. On MacOS it will use rstudioapi::askForPassword if available. |
yaml_tag |
character(1). Only used as an identifier in yaml override files. Defaults to package name 'shelter'. |
max_attempts |
numeric(1). |
... |
Additional arguments passed to 'connectFUN()'. |
Details
If one forgets the password to this keyring, or wishes to start over: 'keyring_delete("<NAME_OF_KEY_RING_HERE>")'
IMPORTANT: Make sure that R is set to NEVER save workspace to .RData as this *is* writing the API_KEY to a local file in clear text because connection objects contain the unlocked key in memory. One can use the following in .Rprofile, 'usethis::edit_r_profile()':
newfun <- function (save = "no", status = 0, runLast = TRUE)
.Internal(quit(save, status, runLast))
pkg <- 'base'
oldfun <- 'q'
pkgenv <- as.environment(paste0("package:", pkg))
unlockBinding(oldfun, pkgenv)
utils::assignInNamespace(oldfun, newfun, ns = pkg, envir = pkgenv)
assign(oldfun, newfun, pkgenv)
lockBinding(oldfun, pkgenv)
It will store the provided password in the shell environment. This can sometimes end up with the password set command appearing in the console when using RStudio. If one wishes this to not happen and/or for it to always query for the password this can be done using: 'options(shelter.save.env=FALSE)' to turn off the password saving behavior for an R session. Note: this will not clear a password that already exists in a given shell environment.
For production servers where the secrets must be stored in a readable plain text file, it will search for '../<basename>.yml'. DO NOT USE this unless one is a sysadmin on a production hardened system, as this defeats the security and purpose of a local encrypted file (the point of using this package).
The expected structure of this yaml file is as follows:
other-config-stuff1: blah blah
shelter:
keys:
intake: THIS_IS_THE_INTAKE_DATABASE_APIKEY
details: THIS_IS_THE_DETAILS_DATABASE_APIKEY
other-config-stuff2: blah blah
other-config-stuff3: blah blah
For production servers the use of ENV variables is also supported. The connection string is converted to upper case for the search of ENV. If a YAML file and ENV definitions both exist, the YAML will take precedence.
Value
If 'envir' is NULL returns a list of opened connections. Otherwise connections are assigned into the specified 'envir'.
Examples
## Not run:
unlockKeys(c(test_conn = 'Testshelter',
sandbox_conn = 'SandboxAPI'),
keyring = '<NAME_OF_KEY_RING_HERE>',
envir = globalenv(),
passwordFUN = function(x, ...) x)
## End(Not run)
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.