1

I see that a lot of people are using this module for using Node along with a mysql database: node-mysql

In everything I read people are storing their passwording and usernames in plain text in the js file. Javascript files can be read pretty easily, so isn't this a terrible thing?

Here is the connection code in the docs:

var connection = mysql.createConnection({
    host     : 'localhost',
    user     : 'me',
    password : 'secret'
});

Am I missing a piece of the puzzle that disallows people from viewing your JS file on the server in plain text, password fully available?

Gurnzbot
  • 3,742
  • 7
  • 36
  • 55
  • 2
    Writing your own password encryption and management is "hard" — it is an extremely difficult problem that nearly everyone gets Very Wrong. Badly. Find and use an existing, proven solution written by crypto experts. – Stephen P Dec 08 '14 at 21:11
  • Just make sure your node.js files are not included in the path being served by your webserver. Also probably a good idea to use a specific mysql user for this application and lock it down to only being accessible by this specific server. – Kevin B Dec 08 '14 at 21:11
  • It has been discussed in some other threads. Example: http://stackoverflow.com/questions/22348705/best-way-to-store-db-config-in-node-js-express-app What you can do is pass the db password as parameter to the node app (example: node myapp.js password_from_mysql) – Christian Benseler Dec 08 '14 at 21:13
  • 1
    @t0mppa I think I have misunderstood where to actually store these javascript files that contain the node/server-side code. I have my app.js file on the server in js directory and the app is running fine (using Forever). But I can always just enter the url of this file and view it. Am I supposed to keep it in a specific location on my server that is more locked down and unreadable through the browser...?? – Gurnzbot Dec 08 '14 at 21:44
  • @Gurnzbot did you ever find an answer to this? I'm trying to figure out as well what to do to keep my database safe. – neydroydrec Nov 14 '15 at 02:58
  • No I have not. If you ever do pls update here! :) – Gurnzbot Nov 19 '15 at 18:45

2 Answers2

1

It is not possible to store your password in a mysql connection with an encrytion. But you never should enter your password in a file which is send to the PC of a visitor. All files which contains login credentials or something like have to been saved on the server. If you want to show some mysql contents to a visitor you can realise this with a small api which has to be programmed in js/php.

But if understand it right, you only want to run this javascript in a commandline with nodejs. Then you have no other solution as to store it without encryption and don't give the access to this server to someone else.

jan
  • 142
  • 2
  • 2
  • 9
  • 3
    If you can't trust the security of a file on disk, you've got bigger problems. Lock down your system properly and this is a non-issue. – tadman Dec 08 '14 at 21:59
1

I'll typically have the app prompt you for the mysql password upon startup. This keeps the password out of a file on the server. You could also pass this as an argument to the script or set an environment variable.

Keeps the password off the filesystem but doesn't allow you to have the app autostart... it's a tradeoff

Dave Snigier
  • 2,574
  • 3
  • 21
  • 29
  • These password prompts are usually self defeating, and are often worse than having the password in a configuration file. It's highly likely this password will end up on a note stuck to someone's screen, if not the server itself. – tadman Dec 08 '14 at 21:58