Reputation: 174
Possible Improvements for contact-form
I followed the guide Building a contact form. And I added email notification additionally. My final code looks like this:
...
// Email default "from" address for this module
email: { from: '[email protected]' },
afterConstruct: function(self) {
self.setSubmitSchema();
},
construct: function(self, options) {
// build submit shema
self.setSubmitSchema = function() {
self.submitSchema = self.apos.schemas.subset(self.schema,
[ 'name', 'email', 'title', 'body' ]
);
};
// Submit request to piece
self.submit = function(req, callback) {
var piece = {};
return async.series([
convert,
insert
], callback);
function convert(callback) {
return self.apos.schemas.convert(req, self.schema, 'form', req.body, piece, callback);
}
function insert(callback) {
return self.insert(req, piece, { permissions: false }, callback);
}
};
// Submit request by email
self.afterInsert = function(req, piece, options, callback) {
return self.email(req, 'emailInserted', {
piece: piece
}, {
// can also specify from and other
// valid properties for nodemailer messages here
to: '[email protected]',
subject: 'A new suggestion was received'
},
callback
);
};
}
};
Everything works like expected but I can't have the smtp login data for nodemailer in app.js laying around in the public code. That's my problem.
When I use this code without supply login form submission fails. Therefore I need either write additional if condition to trigger self.afterInsert only if valid login is supplied.
Or I would add login by process.env.USER_SMTP, process.env.USER_LOGIN and process.env.USER_PW in app.js if that works! But I would still have to add email from: and to: in contact-form/index.js. So I don't know really what's the polite way to solve this and I would appreciate some suggestion...
Upvotes: 0
Views: 57
Answers (1)
Reputation: 7572
I think you are experiencing some confusion about the security of putting things in JavaScript.
This is server-side (node.js) JavaScript code. Presumably located here:
/lib/modules/my-pieces-submit-widgets/index.js
That means it is just as secure as anything on your private server. It is not "public." No one can see it unless they have access to your server account.
If they have access to your server account they can already delete your entire database, turn your site into a spam generator, etc.
So I think you might be confusing this with what happens when you put credentials in browser-side JavaScript. In ApostropheCMS, that would mean putting them in a public/js folder. That is unsafe but you are not doing that here.
Assuming your code is in a private repository - which it should be - it is perfectly fine to put these credentials there. However yes there is no reason you cannot check process.env.USER_SMTP and so on if you prefer to do it that way. For instance, if you were planning to create a public npm module for other people to use in their projects, you might check such environment variables, or you might just tell people to set these properties in project level configuration.
If this does not clear up the question please provide more specifics as to why you are worried about this information getting out, and how.
Upvotes: 1
Related Questions
- Apostrophe Forms Submissions in Admin Bar
- Submission fails when using custom contact form module in Apostrophe CMS
- How do I email out ApostropheCMS contact form submissions?
- Custom Comments Form Module
- Multiple Apostrophe Forever Instances
- Using apostrophe-blog with apostrophe-headless
- Apostrophe Widget Helpers
- Improving apostrophe-pieces
- How to separate Apostrophe syles from the front end template
- Need Example Code for apostrophe-modal in Apostrophe CMS 2.0