Storing securely passwords for connection to DB in opensource projects

Question

Cloud9 is a cool service. IF you create a workspace that is public it will mean that everyone who knows your project url and have an account at cloud9 can browse and download your code. This means that if my project have, for example, connectivity to mongodb, everyone will see login and password to connect to mongo (because it will be in some source file).

The only option I can see to store passwords securely (except making project private) is to somehow add them to environment variables, and use process.env.XXXXXX call within the code. This seems to be secure because even if others may browse my code they cannot open terminal and check what environment variables I have defined.

So, is there a way to add my custom environment variable(s) to that they would be accessible via process.env.XXXXXX inside node's code?

Answer 1

You can define environment variables in ~/.profile. Files outside of the workspace directory /home/ubuntu/workspace are not accessible for read only users. You can do e.g.

$ echo "export SECRET=geheim" >> ~/.profile

to define the variable SECRET and then use it through process.env.SECRET from your application. The runners (from the "run" button) and the terminal will evaluate ~/.profile and make the environment variable available to your app.

Answer 2

When running project with cloud9 runners there is Environment popup on the right side of the runner toolbar. You can use it to add environment variables the way you want, but make sure to not add a name to the config since configs with name are automatically saved in .c9/project.settings

Another solution is to create a file in the directory not exposed in readOnly mode. e.g

echo "password" |  sudo tee /xxx

you can even edit /xxx file using vi inside cloud9 terminal.

But Of course the best solution is to buy premium subscription, and get more private workspaces:)