问题
I started learning NodeJS for a few days, and I'm facing a question about the credentials of the database and the gmail connection (the last needed for nodemailer).
Essentially what I did is create a file like this:
const config = {
development: {
url: '127.0.0.1',
database: {
host: 'mongodb://localhost',
port: '27017',
db: 'foo'
},
gmail: {
username: 'foo@gmail.com',
password: 'foo',
},
server: {
host: '127.0.0.1',
port: '3000'
}
},
production:{
url: 'https://my.site.com',
database: {
host: '127.0.0.1',
port: '27017',
db: 'foo'
},
gmail: {
username: 'foo@gmail.com',
password: 'foo',
},
server: {
host: '127.0.0.1',
port: '3000'
}
}
};
module.exports = config;
I do not like to enter this information into the app, so after a research I found this library: dotenv. This lib store the info inside the process env variable, but the substance is the same.. Why I should prefer a solution like dotenv agains my config module?
What do you suggest?
回答1:
you have use dotenv package because it creates file and save it into your process where as config.js will not save in the process But why i have to save in Process ?? first thing credentials will never be push on git or any other version-control system. if we don't push on git this file,if i clone it after some later time program will crash. but in this case if i use Process.env program will not crash. and second if we have big team we can also put extra security on porcess file and but put extra security on JS file because developing team should have access on these file for editing and other stuff
this is usefull link for more info https://medium.com/@sherryhsu/managing-configurations-in-node-js-apps-with-dotenv-and-convict-d74070d37373
回答2:
I absolutely recommend dotenv, this is what it was created for. However, what I would recommend to use specifically is dotenv-safe npm package. That offers upgraded features compared to dotenv. Since you are not going to push your .env.xy files to version management such as git with all the sensitive data in it, you can quickly get confused about what variables should you be putting into your environment files, especially if you are working in teams. Let’s say Adam creates a new env variable, uses it in his code and pushes his code. Since the env files are in .gitignore you only get to notice that Adam introduced a new env variable when your code TRIES TO USE THE VARIABLE and breaks. With dotenv-safe however, you push your .env.example file with valid keys, but dummy values, for example, MY_API_KEY=somerandomgibberish to git, while your real value would be MY_API_KEY=aaf347xkhskallmtopsecret in your .env.production file. Dotenv-safe doesn’t allow running your app if your real .env file, in this case.env.production has any mismatching keys compared to .env.example which you just pulled from git. This way, you discover that Adam added his new env variable when STARTING YOUR APP. This way, no unexpected behaviour will come up once your app has all the variables it has predefined in .env.example protecting you from a lot of headache and thousands of unnecessary redeploys in the long run. :)
来源:https://stackoverflow.com/questions/55021963/which-is-the-best-way-to-store-sensitive-credentials-in-node