Reputation: 806
mongodb - user connection string, secure password
I've been following a tutorial with express, node and mongo. I have in a config file on the server side:
production:{
db:'mongodb://MYUSERNAME:[email protected]:33307/dbname',
rootPath:rootPath,
port:process.env.PORT||80
}
so, i have my username and password in clear text in a server side javascript file. should i be worried about this? if yes, where else can I put it?
Thanks.
Edit: I went back and had a look at mongolab and heroku (where my site is hosted) docs.
Where I found: "The MongoLab add-on contributes one config variable to your Heroku environment: MONGOLAB_URI", and so I was able to put the MONGOLAB_URI env var into my config and move the password out of the source code.
With regards to the same datacenter, am I right to assume heroku would not be hosting my mongolab database in their datacenter, but would instead be calling out to a cloud service mongo database? Not much I can do then, is there, if I want to stick with mongolab and heroku?
Upvotes: 2
Views: 3534
Answers (2)
Reputation: 27487
I think you should always be concerned about storing passwords in source code files. Generally you would be much better off keeping it in a configuration file that is managed separately. This gives you the flexibility to use the same code with a different configuration file to point to development or qa databases.
Of bigger concern perhaps - are you hosting your application in the same datacenter that MongoLab is hosting your database? If not, that user name and password, along with your data, will traverse the internet in the clear.
MongoLab does not currently support SSL (other than for their RestAPI) so even they recommend being in the same data center:
Do you support SSL?
Not yet but it is on our roadmap to be available in Summer 2014. In the meantime, we highly recommend that you run your application and database in the same datacenter. If you have a Dedicated plan, we also highly recommend that you configure custom firewall rules for your database(s).
Rest API:
Each MongoLab account comes with a REST API that can be used to access the databases, collections and documents belonging to that account. The API exposes most the operations you would find in the MongoDB driver, but offers them as a RESTful interface over HTTPS.
I would definitely read MongoLab's security page fairly closely:
https://docs.mongodb.com/manual/security/
Upvotes: 0
Reputation: 554
I know this question is old but according to Heroku's docs they currently use 2 datacenters (https://devcenter.heroku.com/articles/regions#data-center-locations).
Their US server is 'amazon-web-services::us-east-1' and their EU alternative is 'amazon-web-services::eu-west-1'.
Both of these data centers are available when launching mongo instances on Mongolab so you can choose for both your app and your db to be on the same datacenter giving much improved security.
Upvotes: 1
Related Questions
- How to secure MongoDB with username and password
- How to setup MongoDB with username and password
- mongodb authentication with connection string
- Unable to connect to MongoDB when security Authentication is Enabled
- Mongodb : Connecting to a user with password when tls is enabled
- MongoDB authentication restriction for database
- How to configure MongoDB to be able to connect using username and password?
- Mongo Authentication
- MongoDB: set user/password to access to db
- MongoDB with Authentication