CODEWITHSUNDEEP
node.jsexpress
sfarzoso
sfarzoso

Reputation: 1600

Which is the best way to store sensitive credentials in Node.js?

I started learning Node.js a few days ago, and I'm facing a question about the credentials of the database and the Gmail connection (the last is needed for nodemailer).

I essentially created a file like this:

const config = {
    development: {
        url: '127.0.0.1',

        database: {
            host: 'mongodb://localhost',
            port: '27017',
            db: 'foo'
        },

        gmail: {
            username: '[email protected]',
            password: 'foo',
        },

        server: {
            host: '127.0.0.1',
            port: '3000'
        }
    },

    production:{
        url: 'https://my.site.com',

        database: {
            host: '127.0.0.1',
            port: '27017',
            db: 'foo'
        },
        gmail: {
            username: '[email protected]',
            password: 'foo',
        },

        server: {
            host: '127.0.0.1',
            port: '3000'
        }
    }
};

module.exports = config;

I do not like to enter this information into the application, so after some research I found this library: dotenv. This library stores the information inside the process.env property, but the substance is the same... Why should I prefer a solution like dotenv against my config module?

What do you suggest?

Upvotes: 5

Views: 12055

Answers (2)

Abdullah Khan
Abdullah Khan

Reputation: 645

You have used the dotenv package, because it creates a file and saves it into your process, whereas config.js will not save in the process.

But why do I have to save in the process?

The first thing: credentials will never be pushed to Git or any other version control system. If we don't push this file to Git, and if I clone it after some later time, the program will crash. But in this case, if I use the Process.env property, the program will not crash.

And second, if we have big team, we can also put extra security on the process file and but put extra security on the JavaScript file, because the developing team should have access to these file for editing and other stuff.

This is useful for more information: Managing Configurations in Node.js applications with dotenv and convict

Upvotes: 3

f4z3k4s
f4z3k4s

Reputation: 1241

I absolutely recommend dotenv, and this is what it was created for. However, I would specifically recommend to use the dotenv-safe npm package. That offers upgraded features compared to dotenv.

Since you are not going to push your .env.xy files to version management, such as Git, with all the sensitive data in it, you can quickly get confused about what variables should you be putting into your environment files, especially if you are working in teams.

Let’s say Adam creates a new environment variable, uses it in his code and pushes his code. Since the environment files are in file .gitignore, you only get to notice that Adam introduced a new environment variable when your code tries to use the variable and breaks. With dotenv-safe however, you push your .env.example file with valid keys, but with dummy values, for example, MY_API_KEY=somerandomgibberish to Git, while your real value would be MY_API_KEY=aaf347xkhskallmtopsecret in your .env.production file.

Dotenv-safe doesn’t allow running your application if your real .env file, in this case .env.production, has any mismatching keys compared to file .env.example which you just pulled from Git. This way, you discover that Adam added his new environment variable when starting your app.

This way, no unexpected behaviour will come up once your application has all the variables it has predefined in .env.example, protecting you from a lot of headache and thousands of unnecessary redeploys in the long run. :)

Upvotes: 6

Related Questions