3

i've some node app which should get the user password to run , I dont want to put the user password hard-coded but I want some way to pass it during deployment, something like when I do npm start with the command line and add also user password which will be filled in the code, there is some best practice how to do it in node?

After I search in SO i've found this post but it's not helping since you put the code in config file which to me looks the same , the user passowrd is supplied with the code which I want to avoid...any example will be very helpful

Best way to store DB config in Node.Js / Express app

Let's say one on the file need this user password for Runtime...

e.g.

request({
    uri: API,
    method: 'POST',
    json: true,
    form: {
      'username': 'user123',
      'password': 'password123'
},

What I want is something similar to this approach , (or there something better which I want to understand how to use it) 

 request({
    uri: API,
    method: 'POST',
    json: true,
    form: {
      'username': ~username,
      'password': ~password
},

And run the following command during deployment

npm start username user123 password password123

Jenny Hilton
  • 1,297
  • 7
  • 21
  • 40
  • User password for what? What does the app do? – Bergi Aug 23 '17 at 19:56
  • @Bergi- This code should run in the cloud and should provide user password to the cloud provider , but my question is for any user password which node app should provide and you want to provide it during deployment... – Jenny Hilton Aug 23 '17 at 19:59
  • But what user are you talking about? The "user" who sets up the application on the server? The user(s) of the web application? – Bergi Aug 23 '17 at 21:04

3 Answers3

2

You can make use of environment variables.

Let's say you have an environment variable called USERNAME.
You can access it in your Node.js application like this: 

console.log( process.env.USERNAME )

You can supply environment variables when starting your application like this: 

USERNAME=example npm start

You may also want to check this supper cool project called dotenv which loads environment variables form a .env file.

You can add .env to your .gitignore and the credentials won't be shipped with the code.

Kayvan Mazaheri
  • 2,447
  • 25
  • 40
1

Your best bet would be to have an external config file and read the username and password configuration from that. :) You will need to make sure that your web app doesn't serve the config file to the public either. So I would recommend putting the config into a higher level directory than your server so you would have less chance of accidentally serving your config.

mustachioed
  • 533
  • 3
  • 18
  • oops It looks like you just edited your post :/ and now my answer isn't relavant. – mustachioed Aug 23 '17 at 20:03
  • This is the same approach I've provided in the link but im not sure this is the best way since as you write it can be accidentally provided ... – Jenny Hilton Aug 23 '17 at 20:04
  • 1
    @JennyHilton as my previous comment said I see that my answer is now sort of irrelevant. I wrote my post just before you edited. :) – mustachioed Aug 23 '17 at 20:05
  • 1
    @JennyHilton The easiest way is to add a JSON file to your project with the configuration that is ignored by git/svn. Then combine `fs.readFile` and `JSON.parse` to read the stored password – Mark Aug 23 '17 at 20:08
  • @MarkNijboer You've hit the nail right on the head! That's exactly what I meant. – mustachioed Aug 23 '17 at 20:11
1

I've build a similar app not so long ago. My folder structure was as follows:

root
|- app               // App logic (Not accessible in front-end)
|- templates         // Template files (Not accessible in front-end)
|- static            // Static files (Accessible in front-end)
|- config            // Config files (Not accessible in front-end)
   |- config.json    // Config file (Not accessible in front-end)
|- index.js          // Example JS file

if you add config/config.json to the .gitignore file, assuming you use git, it will not be transmitted when you push to production. This means that you have to make a config.json file in the production environment yourself that can hold different data than the development environment config.

Example config.json:

{
    "username" : "username1",
    "password" : "password123"
}

If you need the password in index.js you do the following:

const fs = require('fs');

fs.readFile('./config/config.json', function(err, data) {
    if (!err) {
        const data = JSON.parse(data);
        const username = data.username;
        const password = data.password;

        // Use password here or store it in a local variable to use it later
    }
});
Mark
  • 3,224
  • 2
  • 22
  • 30