I am new to programming in node.js. I want to know if there is a way to create a environment specific property file, the same way we create in java and read from there. Is there a similar way we can do it in node.js? I have to connect to the db and it has user, connect string and password. I need that to be environment specific.
Most people use environment variables for environment-specific variables ;)
If you want to be able to supply those from a file, you can use the dotenv npm package to read defaults from a .env file, or you can use something like direnv if you don't want to alter your code, and just want to be able to specify environment variables automatically depending on your working directory.
I'd say that dotenv is the common way to do this for development environments.
Yes! You need .env files. See this guide for details: https://www.freecodecamp.org/news/nodejs-custom-env-files-in-your-apps-fa7b3e67abe1/
Related
What's the best way to set environment variables when developing nodejs on a local machine for App Engine Flex environment? If they're set in app.yaml then they don't get set during local development. Is there a way to force this, or should I use something like dotenv and keep track of the same environment variables in 2 places?
Sensitive data (e.g. API Keys) should not be committed to source code.
The way I went around that is storing a .env file in Google Storage. Then you can use #google-cloud/storage to download it in production (using a prestart hook) and dotenv to load variables into memory.
You may find a full guide here: http://gunargessner.com/gcloud-env-vars/
PS: I would go for Aidan's answer for storing any data that is not sensitive. I have myself used dotenv satisfactorily in the past.
Similar to that, there's nconf, the package that gcloud itself uses for examples. Pretty neat!
Option 1:
require('dotenv').config({path: '/custom/project/root/app.yaml'})
Option 2:
Maintain both a .env file and a .yaml file with the same keys but different values (local and GAE, respectively). In app.yaml, I make sure not to deploy my .env file by adding the following line:
skip_files : .env
You will then need to add a check on ('dotenv').config() to make sure that it doesn't error or overwrite your process variables if no .env file is detected.
Aidan's suggestion is good.
As configurations should be different on GAE and local, I would suggest option 2 is best - a separate .ENV for local and .YAML for GAE environments.
One minor point though. I'd suggest to add a .gcloudignore files, something like the below:
.gcloudignore
.git
.gitignore
.env
staging.yaml
node_modules/
I am building a web app which will be sending out emails for sign up verification. I will be using https://github.com/RGBboy/express-mailer. I wanted to know whether it is safe for me to display the email password in the code and push it to the server (Heroku, AWS etc.) where the app is hosted. If not, what alternative methods should I use to 'hide' the password?
It is usually considered bad practice to have plaintext secrets/credentials stored under version control. As that could lead to security issues
Usually these sorts of info are set as environment variables. Heroku has a pretty straightforward way of doing this configuration. You can either use their web admin, or set them via command line.
As for other cases, like your development setup, this could be done with the use of .env files, which are loaded and have its values exposed to your running code. Since [express-mailer][2] is a node application, I suggest using some npm package like dotenv or node-env-file automatically do this loading.I personally prefer dotenv which I feel is simpler.
You should also check out this article regarding the use of .env files. The basic idea is to have your .gitignore(or equivalent) to ignore your .env file, thus ensuring your secret credentials are never introduced in your version control. And then setup an .env.sample file to show the developer which data needs to be declared on said .env file.
Example:
.env
EMAIL=foo#bar.com
PASSWORD=AahUbf796
S3_TOKEN=ASVNS7843NCA87SDVNBRT9
.env.sample
EMAIL=<email to access the account>
PASSWORD=<secret password>
S3_TOKEN=<s3 token for application foobar>
You shouldn't ever store secrets in version control.
One alternative (which I personally like the best) is setting secrets as environment variables for your application in your production environment. Heroku I think supports this. This is also the approach that for example Rails takes. Dev/test "secrets" (which are not actually real credentials to anything valuable) can still of course be stored in your VCS.
Another option is to encrypt the user credentials in your source code and decrypt them from your source code.
I've come across people using both methods to do config management.
What are the pros and cons of each approach?
If I have a lot of variables that I store in my config object, will I have to set them all one by one in an upstart script before executing the node app?
You generally use envvar to keep an application stateless. The same codebase should work in dev, staging, test and production environment.
You will put var like MySQL config, API keys, if log is enabled or not, if debug is on or not ...
Config file are used for variables which are not dependent of the environment. For instance, name of the application, number of items per page ...
I guess you can use config.json file for storing big configs. ENV I've usually use for passing application port or something very important for normal application start. For example if you use some external lib, it's better to be able to pass custom path to lib executor in ENV.
P.S. You should never save config.json in SVN.
I am new to node/express and was wondering
where should I store environment variables?
where I should store config files?
if there's an example out there on how to configure the config file?
Thanks!!
You can store your config files under config dir and load them based on your requirement.
As for environment variables, if you mean the variables passed during run time execution; then I believe you can directly access them under your project. If you mean to store project level information then you can use something like project.json and also have env variables in it.
You can use this project as reference for both the tasks.
I am building a Node.js application and need to store database credentials (and other runtime properties) in such a way that they can be read when deployed on Heroku. My source is available in a public GitHub repository.
I am currently using environment variables, configured using heroku config:add, but am looking to understand if there are any alternatives. I would potentially like to use Cloud9 IDE, but it does not currently support environment variables.
Another option is to store the parameters in a config. file, but I believe the file would need to be checked in to Git (and as such, be publicly available) in order to be pushed to Heroku.
Thanks for your help.
ENV vars are generally considered the way to go, and the way Heroku do it themselves for database_urls and the like.
As you and your app are the only people with access to the env vars, you're generally OK security wise.
Putting credentials in Git or similar is a bad idea as it's another place that needs to be secured.
The one way I know of to solve the problem for development using command-line arguments. These can be specified in your run/debug configuration. You can then access the parameters in process.argv. Of course this means that they will be stored in your Cloud9IDE dev environment. You could then use the ENV variables in a retail production. This will at least prevent the credentials from being visible in source or config files.