Deployment [dih-ploi-muhnt]
noun.
: the act of moving something or someone into a strategic position or a position of readiness, or the condition of being in such a position
Quick Recap:
Stay in touch w/ Friends
We are building a simple v0.1 of BetterFriend app by using chatbot to remind people their loved one’s birthday with AI.
The process of deploying something live with front-end, back-end, database, AI and proper hosting is definitely an achievement for me. I have never deployed anything alone and this is the very first MVP that I have deployed. Along the way, I’ve come to understand a few things that are required to double check.
Authentication
There was a disconnect between the Telegram API / Webhook with the Database. While deploying, it wasn’t very clear if it was the Telegram side that was having issues or on the database side. It simply wasn’t syncing.
After several back and forth, I discovered that we have to manually go to Vercel settings to give permission for connecting the two. Logging into Vercel wasn’t enough to do this in the terminal because this allows 3rd party tools (Telegram) to get access to our database. I had to disable this authentication in order to make this work. This introduce a new risk - anyone can access the database, but it is necessary for Telegram to talk to Vercel unfortunately.
For security purposes, We have to replace Vercel’s authentication with our own request verification to verify the Telegram Secret Key. Without this step, we are leaving it open for:
Someone could pretending to be Telegram and contact your webhook (database)
They can spam, store wrong data, retrieve data from the database with full access
Lesson learned for interacting with 3rd party tools - authentication is necessary to do at the back-end API level.
Secret Keys
Environment Variable - APIs - keeping things secure / locally and then upload directly with hosting (through Vercel dashboard or other services)
Gitignore is the standard best practice that has become popular to tell Github to NOT upload your important information to the cloud. This is super important to remember because if anyone has access to the API key from any AI that we use, or worse the database key, they can get access to anything.
Unfortunately, on one occasion the AI (Claude 4 Sonnet) ignored the best practices and put in my API keys into a file that is not called .env - The file that Github is told not to upload and only stays locally on our computer. Github Copilot Code Review in Pull Request process was able to catch that luckily.
Again, these API keys need to be manually uploaded either through the website on Vercel or other hosting provider. We could also tell Terminal to do once it’s logged into the hosting provider. For some reason I still feel better about manually uploading them myself than relying on AI in the terminal.
This is a serious security concern for data privacy. Also, these days, if AI API keys are stolen, there have been nightmare stories of $10,000+ being charged by someone stealing the key and abusing it.
The deployment process is an interesting one. Unless going through it once, we don’t know that these problems exist and that we need to have workarounds. We are also less sensitive to security issues until something is live on the internet and anyone can use it.
I hope everyone can deploy something to know what it’s like. Just make sure to follow the best practices above and protect your APIs and authenticate who can access what.
I’m grateful for the experience.
Beta on the way!
See ya tomorrow
(⚡️BetterFriend Project Day 8 - 38)