How to hide my password when deploying nodejs through FTP - node.js

How to hide my password when deploying nodejs through FTP?
It seems the following code will be seen by everyone in GitHub repository.
Also, when people download my file, they can also see the password.
How to avoid this problem? Thank you very much!
const Client = require('ftp');
const connectionProperties = {
host: 'ftp.example.com',
user: '',
password: '12345678'

Use dotenv to retreive all environment variables from .env file.
Installation
npm install dotenv
In your .env file.
HOST=ftp.example.com
PASSWORD=12345678
In your script file
const dotenv = require('dotenv')
dotenv.config()
const Client = require('ftp');
const connectionProperties = {
host: process.env.HOST,
user: '',
password: process.env.PASSWORD
Please note that you should edit .gitignore file ignore .env file from the git source control.

Related

How can I define dev & production ENV using express & mysql2?

I found some other similar answers to this, but I was not confident in my ability to comprehend and get it right, so I'm hoping to get a little validation on my approach if it's right, seeing as what i've cobbled together is from a tutorial. I've also included the requires, as I'm not actually calling express in this file (db.js) but it is used in other places:
(PS. I am deploying to Heroku, and using JawsDB as my production DB)
require("dotenv").config();
const mysql = require("mysql2");
//const { DatabaseError } = require('pg');
const pool = mysql.createPool({
host: process.env.DB_HOST,
user: process.env.DB_USER,
database: process.env.DB_NAME,
password: process.env.DB_PASSWORD,
});
and this is what i'm thinking of doing:
app.configure('production', function(){
app.locals.URLs = {
const pool = mysql.createPool({
host: process.env.DB_HOST_LOCAL,
user: process.env.DB_USER_LOCAL,
database: process.env.DB_NAME_LOCAL,
password: process.env.DB_PASSWORD_LOCAL,
}
});
app.configure('development', function(){
app.locals.URLs = {
const pool = mysql.createPool({
host: process.env.DB_HOST_JAWS,
user: process.env.DB_USER_JAWS,
database: process.env.DB_NAME_JAWS,
password: process.env.DB_PASSWORD_JAWS,
}
});
is this right, and will I need to require app = require('express')?
If you want to inject anything into express (router, middleware, configuration, template engine, etc) then you're gonna need "app". With locals you are creating a "URLs" property inside your app instance.
This is not a big deal but you could instead module.exports = pool; as an independent js module and use it regardless of Express.
About your env, be cautious no to leak production passwords into development nor a developer's local configuration into production. That said you don't need a if.. else for your configuration. I also spot you don't have an env configuration for tests...
Here in the docs the prefered way to load your vars is by preloading them.
node -r dotenv/config your_script.js
You can also customize your .env file if you enjoy .env.local .env.production .env.test approach
node -r dotenv/config your_script.js dotenv_config_path=/custom/path/to/.env
This also allows you to have multiple settings without worry of conflicts / unintended overrides or leftovers.
You could also
inject individual variables via cross-env
inject production variables via PM2

Cant access variables from .env file in node.js application

I am trying to dockerize a strapi app with mongodb atlas database. The issue I am facing is that database file in /config is not reading the variable from .env file.
.env file
HOST=0.0.0.0
PORT=1337
DATABASE_HOST=xyz.mongodb.net
DATABASE_USERNAME=abc-admin
DATABASE_PASSWORD=12345xyz
ADMIN_JWT_SECRET=abcd1234
Database connection code
const {
DATABASE_HOST,
DATABASE_USERNAME,
DATABASE_PASSWORD
} = process.env;
module.exports = ({ env }) =>
({
defaultConnection: 'default',
connections: {
default: {
connector: 'mongoose',
settings: {
host: env('DATABASE_HOST', process.env.DATABASE_HOST),
srv: env.bool('DATABASE_SRV', true),
port: env.int('DATABASE_PORT', 27017),
database: env('DATABASE_NAME', 'xyz-dev'),
username: env('DATABASE_USERNAME', process.env.DATABASE_USERNAME),
password: env('DATABASE_PASSWORD', process.env.DATABASE_PASSWORD)
},
options: {
authenticationDatabase: env('AUTHENTICATION_DATABASE', null),
ssl: env.bool('DATABASE_SSL', true),
},
},
},
});
I have tried with process.env and without it in the above file. But when I run the image after build it shows below error
error Error connecting to the Mongo database. URI does not have
hostname, domain name and tld
Any idea what I am doing wrong here? Thanks
One option is to use dotenv you need to import dotenv and run dotenv.config() before you can start using env variables
so change to
import dotenv from "dotenv";
dotenv.config()
// your code which user process.env
other option is to define all those env variable on your OS level. On unix you can add to ~/.bashrc file
Here's a bit more elaborate answer to your question (after reading your comments). Creating .env file means you just created it. It doesn't get automatically loaded. It's a typical way to use on unix machines, but has no relation to Node whatsoever.
What you need to do is somehow parse the content of that file (which is purely text), convert it to key-value pairs and pass it to node. There are many packages, and one that Amit showed is dotenv. It does all the work for you, and at the end, you get your variables injected inside process.env.
The simplest way would be to install this package (from npm) and use it as described. But if you cannot modify the code in any way, then you can simply parse the content of the file with a script, and then start the node server. Here's an example (taken from npm scripts: read .env file):
"scripts": {
"example": "some-lib --argument --domain $(grep DOMAIN .env | cut -d '=' -f2)"
}
The drawback here is that it doesn't work across various operating systems and that using a specific library for that is way more tested than your manual scripts.

Hide password by ignoring file in .gitignore, but unable to deploy to Heroku?

I was trying to deploy my Node JS application to Heroku. Heroku was connected to my Github account and deployed through Github. In my Node JS application, I created a SQL pool file awsPool.js using the following code:
const mysql = require('mysql');
const awsPool = mysql.createPool({
connectionLimit: 10,
host: "myDb.abcdefg.eu-west-2.rds.amazonaws.com",
user: "myUsername",
password: "myPassword",
port: 3306,
database: 'myDb',
debug: false
});
module.exports = awsPool;
And imported it in my Express application. The pool contains credentials such as my username and password, so I set them as ignored in .gitignore. However, when trying to deploy the application to Heroku, Heroku gave me this error:
Error: Cannot find module './awsPool'
I understand this is likely due to awsPool.js being not tracked in my Github, but how can I properly hide my credentials and deploy to Heroku?
You can use ponto .env files that will define your credentials. So when you are going to deploy your application on Heroku you will only need to define your environment variables

in nodejs app how to use dotenv and config?

I am new to development, i understand that dotenv create environment variables that we don't want to expose in our code , while config create similar variables to be used by app for configuration however I am little confused about use case. could you explain it a little or point me to further resource for better understanding. and is there any other similar packages that create environment variables and how are they used ?
The way I do it is using both dotenv and config packages.
You'd create a .env file (which you'll add to .gitignore)
For example
client_id='1234'
client_secret='XXXXX'
Then you create a folder called config at the root of your project, and inside it a file default.js
In this file you'll add first
require('dotenv').config();
and then you can export js friendly variables
require('dotenv').config();
export const client = {
clientId: process.env.client_id,
clientSecret: process.env.client_secret
}
Finally you can use these in your index.ts for example
import config from 'config';
console.log(config.get('client'));
// { clientId: '1234', clientSecret: 'XXXXX'}
You can use dotenv npm package for this use case
create a .env file in your project something similar to:
DB_HOST=localhost
DB_USER=root
DB_PASS=s1mpl3
then you can configure your file:
const dotenv = require('dotenv');
dotenv.config({ path: path.resolve(__dirname, './config.env') })
then you can use them like:
db.connect({
host: process.env.DB_HOST,
username: process.env.DB_USER,
password: process.env.DB_PASS
})

How do I setup the dotenv file in Node.js?

I am trying to use the dotenv NPM package and it is not working for me. I have a file config/config.js with the following content:
'use strict';
var dotenv = require('dotenv');
dotenv.load();
console.log('config');
I have another file .env at the root of my application folder. I also have an environment variable TWILIO_ACCOUNT_SID.
This is the process I go through while trying to use the environment variables in a certain function:
$ node
> require('./config/config.js');
config
{}
> process.env.TWILIO_ACCOUNT_SID
undefined
I defined the TWILIO_ACCOUNT_SID in my .env file but as soon as I try to output the value in my console, I get an error stating that the variable is undefined.
I will be very grateful for any support in troubleshooting this issue.
In my case, every time I tried to get a key from the .env file using process.env.MY_KEY, it returned undefined.
I suffered from this problem for two hours just because I named the file something like keys.env which is not considered to be a .env file.
So here is the troubleshooting list:
The filename should be .env (I believe .env.test is also acceptable).
Make sure you are requiring it as early as possible in your application using this statement require('dotenv').config();
The .env file should be in the root directory of your project.
Follow the "file writing rules" like DB_HOST=localhost, no need to wrap values in double/single quotes.
Also, check the documentation of the package on the NPM site.
I solved this using:
require('dotenv').config({path: __dirname + '/.env'})
or with an absolute path:
C:\\asd\\auhsd\\.env
If it does not find the .env file, it will return undefined.
Save yourself some troubleshooting time and log your require call, like so:
console.log(require('dotenv').config())
You should see an error with more detailed info on the problem.
Had the same issue recently. Check your .env file and use equal sign not colon. Here's an example:
key=value
instead of:
key:value
I had the same problem. I realized my file was somehow encoded in UCS-2 BE BOM. Converting my .env file to UTF-8 fixed it (you can easily do that using Notepad++, for example).
i didn't put my environment variables in the right format as was in the dotenv module documentation e.g. i was doing export TWILIO_CALLER_ID="+wwehehe" and so the dotenv module wasn't parsing my file correctly. When i noticed that i removed the export keyword from the declarations and everything worked fine.
I had the same problem and I tried 4 hours to find the fault. In my case, it was bizarre.
When I tried "node app.js", it worked. When I wanted a daemon to start it, it did not work.
How did I solve my problem?
I replaced:
var dotenv = require('dotenv');
dotenv.load();
with:
var dotenv = require('dotenv').config({path: path.join(__dirname, '.env')})
Make sure that variables are not already set. Dotenv won't override them.
If variables are set then you will have to remove them. In powershell you can use the following command - as mentioned here:
Remove-Item Env:\MyTestVariable
I had a problem also with .env variables not loading and being undefined.
What I tried:
index.js:
import dotenv from 'dotenv';
dotenv.config();
import models from './models';
models.js
import Sequelize from 'sequelize';
const sequelize = new Sequelize(
process.env.DATABASE,
process.env.DATABASE_USER,
process.env.DATABASE_PASSWORD,
{
dialect: 'postgres',
}
);
Apparently, because of how loading the imports works in nodejs, the import of models in index.js caused that the models.js was executed before dotenv.config(). Therefore I got undefined values from process.env.
When I changed models.js to do the dotenv configuration like:
import Sequelize from 'sequelize';
import dotenv from 'dotenv';
dotenv.config();
const sequelize = new Sequelize(
process.env.DATABASE,
process.env.DATABASE_USER,
process.env.DATABASE_PASSWORD,
{
dialect: 'postgres',
}
);
it started to work!
Take care that you also execute your Node script from the ROOT folder.
E.g. I was using a testing script in a subfolder called ./bin/test.js.
Calling it like: node ./bin/test.js worked totally fine.
Calling it from the subfolder like:
$ pwd
./bin
$ node ./test.js
causes dotenv to not find my ./.env file.
I am using NodeJS on windows 10. I used process.env.var-name to access the variables but failed because it gives me windows path variables as a JSON object, so I installed dotenv ( npm install dotenv ). dotenv gets process envirnoment variables from your project's .evn file
npm install dotenv or yarn add dotenv
const dotenv = require('dotenv');
dotenv.config();
process.env.variable_name
output
Make sure to set cwd in the pm2 config to the correct directory for any calls to dotenv.config().
Example:
Your index.js file is in /app/src, your .env file is in /app. Your index.js file has this
dotenv.config({path: "../.env"});
Your pm2 json config should have this:
"cwd": "/app/src", "script": "index.js"
You could also use dotenv.config({path: path.join(__dirname, "../.env")}); to avoid the CWD issue. You will still have a problem if you move the .env or the index.js file relative to each other.
Working Solution:
If you are using webpack (which you definitely should), use a very handy plugin dotenv-webpack which solves the issue of reading environment variables from .env file
Make sure .env is in root directory of your project.
Steps to install the plugin:
npm i -D dotenv-webpack
In webpack.config file:
const Dotenv = require('dotenv-webpack');
module.exports = {
...
plugins: [
new Dotenv(),
...
],
...
};
Now you can call any environment variable defined in .env file using process.env in any js file
My code structure using is as shown below
-.env
-app.js
-build
-src
|-modules
|-users
|-controller
|-userController.js
I have required .env at the top of my app.js
require('dotenv').config();
import express = require('express');
import bodyParser from 'body-parser';
import mongoose = require('mongoose');
The process.env.PORT works in my app.listen function. However, on my userController file not sure how this is happening but my problem was I was getting the secretKey value and type as string when I checked using console.log() but getting undefined when trying it on jwt.sign() e.g.
console.log('Type: '+ process.env.ACCESS_TOKEN_SECRET)
console.log(process.env.ACCESS_TOKEN_SECRET)
Result:
string
secret
jwt.sign giving error
let accessToken = jwt.sign(userObj, process.env.ACCESS_TOKEN_SECRET); //not working
Error was
Argument of type 'string | undefined' is not assignable to parameter of type 'Secret'.
Type 'undefined' is not assignable to type 'Secret'.
My Solution:
After reading the documentation. I required the env again in my file( which I probably should have in the first place ) and saved it to variable 'environment'
let environment = require('dotenv').config();
console logging environment this gives:
{
parsed: {
DB_HOST: 'localhost',
DB_USER: 'root',
DB_PASS: 'pass',
PORT: '3000',
ACCESS_TOKEN_SECRET: 'secretKey',
}
}
Using it on jwt.sign not works
let accessToken = jwt.sign(userObj, environment.parsed.ACCESS_TOKEN_SECRET);
Hope this helps, I was stuck on it for hours. Please feel free to add anything to my answer which may help explain more on this.
There's a lot of confusion about this topic and in these answers. I'm not surprised, that no single answer was accepted. Hopefully yet.
The answer by Basheer indeed solves most of the problems. However, there are few things you still need to know. Especially, if you're coming, like me, from frontend background and wants to add secrets to your frontend. Possibly, related to the introduction of some Server-Side Rendering (SSR) logic in the app.
Most probably you've seen this code in your webpack settings in a frontend app to solve the issue, as a frontend developer.
/* Custom webpack properties. */
const dotenv = require('dotenv-webpack');
module.exports = {
plugins: [
new dotenv(), // Handle environemntal variables on localhost, but on the Server-Side Rendering (SSR). There's no access to "process.env" on the browser.
],
};
Now, it'll work out fine, if you render on the server (SSR) across your app if the .env file is in the root of your project. However, it might not work if you have some custom server-related settings. An example of such situation is Angular Universal, Nuxt.js handles this much easier in which require('dotenv').config() in your next.config.js and makes you good to go. That's due to difference in philosophies between how Angular and Vue.js are handling SSR. To get Angular Universal app from Angular that's just 1 command, but the SSR app isn't as nicely organized as Nuxt.js. It comes with a price that to generate Nuxt.js app from Vue.js, you basically have to generate a new Nuxt.js project and copy files due to quite some differences between Nuxt.js and Vue.js setup. Don't know how React/Next.js and Svelte/Sapper solves this, but if similarly to Angular then you also might consider reading further.
Now, you've some server-related logic in a separated folder called server and let say the file is called main.ts. Maybe apart SSR in that file, you can also have sending mail (nodemailer?) logic. Then you'd like to use process.env, but apparently it doesn't work, even though you have the logic defined in webpack. That's where the require('dotenv').config(); is needed, even if you're using different syntax for import (such as import { Express } from 'express'; for example), require('dotenv').config(); will work like that. Don't feel confused. As long as .env is in the root of your app (don't confuse with server folder) and the variables have correct syntax inside that file, e.g.
MAIL_ACCOUNT=mymail#mydomain.com
MAIL_HOST=smtp.mydomain.com
MAIL_PORT=587
It'll work.
Last scenario, in the SSR app you realised that to host this app you need something called Serverless/Cloud Functions/FaaS. Here, I know only Firebase scenario. In your project, to deploy such app you might have functions folder, from which you deploy the SSR app to the Cloud Functions for Firebase, in this example. What a surprise, on a deployment mail is not working and after hours of figuring out what's happening in the logs you can see process.env.VARIABLE_NAME returning undefined. The reason is that as of today the CLI cannot merge files from other locations and indeed the .env file has to be manually copied to the functions folder. Once copy/paste the .env file to functions and deploy, it'll work.
What you can use for debugging is one of those:
console.log(require('dotenv').config());
console.log(require('dotenv').config({debug: true}));
However, be careful with your secrets, because these will be revealed when your .env setup will be done. Trying to access one of the secrets and trying to log its value in the logs might be more secure option. Especially, if you have many secrets and don't want to rewrite all.
Hope so this one post will cover most of the scenarios.
My problem was stupid. I created the .env in a text editor, and when I saved it it actually saved as
'.env.txt'
which was only visible after I did a
'ls -a'
in terminal and saw the file name.
A quick:
mv .env.txt .env
And I was in business
The '.env' file should be in the root directory of your node js server file (server.js or for me).
If you placed the '.env' file at the root of your project, it won't work. My mistake was that I have the server.js file nested in a folder named 'controller'.
So I had to fix it by placing the .env file in the same directory as the server.js file.
For React apps created with the create-react-app template, you don't need to use dotenv directly. react-scripts does that for you.
Simply creates a .env file in the top level directory of your project and add all your envs there, but notice that they MUST start with REACT_APP prefix, otherwise they will be ignored.
More details in their documentation. I just spent a couple of hours dealing with this and hope it will save you some time.
Had the same problem. I used dotenv-webpack and need to define
plugins: [
new Dotenv()
]
in both webpack production and webpack base files (I use webpack merge).
If was not defined in both files then it did not work.
If you are facing this problem it could be that the environment variable(s) is added/loaded after the file that requires the specific variable
const express = require('express');
const app = express();
const mongoose = require('mongoose');
const dotenv = require('dotenv');
const morgan = require('morgan');
const passport = require('passport'); //you want to use process.env.JWT_SECRET (you will get undefined)
dotenv.config();
in the above case, you will get undefined for the process.env.JWT_SECRET
So the solution is that you put dotenv.config() before const passport = require('passport');
const express = require('express');
const app = express();
const mongoose = require('mongoose');
const dotenv = require('dotenv');
const morgan = require('morgan');
dotenv.config();
const passport = require('passport'); //you want to use process.env.JWT_SECRET (you will get the value for the enviroment variable)
In my case, I've created a wrapper JS file in which I have the logic to select the correct variables according to my environment, dynamically.
I have these two functions, one it's a wrapper of a simple dotenv functionality, and the other discriminate between environments and set the result to the process.env object.
setEnvVariablesByEnvironment : ()=>{
return new Promise((resolve)=>{
if (process.env.NODE_ENV === undefined || process.env.NODE_ENV ==='development'){
logger.info('Lower / Development environment was detected');
environmentManager.getEnvironmentFromEnvFile()
.then(envFile => {
resolve(envFile);
});
}else{
logger.warn('Production or Stage environment was detected.');
resolve({
payload: process.env,
flag: true,
status: 0,
log: 'Returned environment variables placed in .env file.'
});
}
});
} ,
/*
Get environment variables from .env file, using dotEnv npm module.
*/
getEnvironmentFromEnvFile: () => {
return new Promise((resolve)=>{
logger.info('Trying to get configuration of environment variables from .env file');
env.config({
debug: (process.env.NODE_ENV === undefined || process.env.NODE_ENV === 'development')
});
resolve({
payload: process.env,
flag: true,
status: 0,
log: 'Returned environment variables placed in .env file.'
});
});
},
So, in my server.js file i only added the reference:
const envManager = require('./lib/application/config/environment/environment-manager');
And in my entry-point (server.js), it's just simple as use it.
envManager.setEnvVariablesByEnvironment()
.then(envVariables=>{
process.env= envVariables.payload;
const port = process.env.PORT_EXPOSE;
microService.listen(port, '0.0.0.0' , () =>{
let welcomeMessage = `Micro Service started at ${Date.now()}`;
logger.info(welcomeMessage);
logger.info(`${configuration.about.name} port configured -> : ${port}`);
logger.info(`App Author: ${configuration.about.owner}`);
logger.info(`App Version: ${configuration.about.version}`);
logger.info(`Created by: ${configuration.about.author}`);
});
});
I had to literally use no name for the .env file, just have the .env extension and save the file like that and it worked.
I solved this just renaming the file to .env
to y file was named config.env , when I renamed to .env , it works.
I spent a lot of time going through these fixes. I was developing locally and just had to restart the server because the .env file isn't hot reloaded.
is dotenv installed in your project?
Try to install it using npm install dotenv in your project.
Once it is installed load it in any files where you need it using const env = require('dotenv').config().
You can then use in any line where you need to. For example to call port from .env use: process.env.PORT
If you use "firebase-functions" to host your sever-side-rendered application, you should be aware of this one:
error: Error: ENOENT: no such file or directory, open 'C:\Codes\url_shortener\functions\.env'
Means you have to store the .env file in the functions folder as well.
Found this one by:
console.log(require('dotenv').config())
I cloned a repo from Github and went through every one of the suggestions here. After a lot of frustration, I realized that npm install did not install any of the modules and my node_modules folder was empty the whole time.
QUICK FIX:
1) delete your node_modules folder
2) delete your package-lock.json
3) run npm install
const dotenv = require('dotenv'),
path = require('path')
dotenv.config({path: path.join(__dirname, '../.env')})
I had the same problem. I had created a file named .env, but in reality the file ended up being .env.txt.
I created a new file, saved it in form of 'No Extension' and boom, the file was real .env and worked perfectly.
This is how i fix my issue
Intially had this in .env of the root of my project
const db_port = 90101
const db_host="localhost"
const db_username="name"
const db_password="pwd"
const db_name="db"
And all my env variables where undefined.
I fixed it by removing all the const and using just key=value insted of
const key="value"
db_port = 90101
db_host=localhost
db_username=name
db_password=pws
db_name=db

Resources