When you learn front-end development, the creed is to never store passwords on the client--only on the server/db. So now I'm building API's and using third-parties like Twitter and I'm realizing that since I'm using Github, and later pushing to Heroku, I have no place on the server to store my tokens/secrets (since Heroku pulls from Github I can't add to a .gitignore).
I've come to two solutions:
1) Store in a db. That option seems trivial for smaller apps but scalability.
2) Encrypt the info on the server and upload that way.
What are the best practices when you have sensitive info, and are pushing to Heroku from Github?
The answer here is this (for anyone who finds this thread): use Heroku environment variables.
Heroku encourages you to store any application specific sensitive information in environment variables. You can set these variables via the Heroku command line tool, or the Heroku dashboard.
If you'd like to set Heroku environment variables on the command line, you can do so like this:
$ heroku config:set MY_VARIABLE=my_value
That will store the environment variable.
Since you're using Node.js, you can then read the value of these variables in your Heroku code by doing something like this:
console.log(process.env.MY_VARIABLE);
In Node, you can access environment variables via process.env as an object =)
Related
I develop an application with nodejs and react. I use dotenv for configuration in my different environment.
I use TFS 2017 for build and release my application.
What is the best practise for add my .env file of production environment?
Production configs can be difficult to maintain. You can use any module or even write your own custom module to load environment variable in to your application.
However, maintaining production .env files locally for each product (i.e. committing them or putting them inside your docker image is a bad idea. If you ever happen to change some of those configs, you will have to manually change in the code for each application, build docker image (if required) and redeploy. If there are just a couple of applications, it might be easy. But if the number of related applications grow in size (as usually happens in case of microservice based architecture) - all of them sharing credentials, ips for database connections etc. it becomes a hectic task to manually change code and redeploy all the applications.
Usually, developers tend to keep a central repository of all credentials and environment variables. For examples, AWS offers parameter store and MS Azure offers Azure Key vault. In such a case, all the parameters are fetched during start time, and all we have to do is restart the application.
So usually people set only one global varibale NODE_ENV (as prod or dev), dynamically fetch all environment variables based on NODE_ENV running something like env $(node read-env-variables.js) node app.js.
I am building a web app which will be sending out emails for sign up verification. I will be using https://github.com/RGBboy/express-mailer. I wanted to know whether it is safe for me to display the email password in the code and push it to the server (Heroku, AWS etc.) where the app is hosted. If not, what alternative methods should I use to 'hide' the password?
It is usually considered bad practice to have plaintext secrets/credentials stored under version control. As that could lead to security issues
Usually these sorts of info are set as environment variables. Heroku has a pretty straightforward way of doing this configuration. You can either use their web admin, or set them via command line.
As for other cases, like your development setup, this could be done with the use of .env files, which are loaded and have its values exposed to your running code. Since [express-mailer][2] is a node application, I suggest using some npm package like dotenv or node-env-file automatically do this loading.I personally prefer dotenv which I feel is simpler.
You should also check out this article regarding the use of .env files. The basic idea is to have your .gitignore(or equivalent) to ignore your .env file, thus ensuring your secret credentials are never introduced in your version control. And then setup an .env.sample file to show the developer which data needs to be declared on said .env file.
Example:
.env
EMAIL=foo#bar.com
PASSWORD=AahUbf796
S3_TOKEN=ASVNS7843NCA87SDVNBRT9
.env.sample
EMAIL=<email to access the account>
PASSWORD=<secret password>
S3_TOKEN=<s3 token for application foobar>
You shouldn't ever store secrets in version control.
One alternative (which I personally like the best) is setting secrets as environment variables for your application in your production environment. Heroku I think supports this. This is also the approach that for example Rails takes. Dev/test "secrets" (which are not actually real credentials to anything valuable) can still of course be stored in your VCS.
Another option is to encrypt the user credentials in your source code and decrypt them from your source code.
I've come across people using both methods to do config management.
What are the pros and cons of each approach?
If I have a lot of variables that I store in my config object, will I have to set them all one by one in an upstart script before executing the node app?
You generally use envvar to keep an application stateless. The same codebase should work in dev, staging, test and production environment.
You will put var like MySQL config, API keys, if log is enabled or not, if debug is on or not ...
Config file are used for variables which are not dependent of the environment. For instance, name of the application, number of items per page ...
I guess you can use config.json file for storing big configs. ENV I've usually use for passing application port or something very important for normal application start. For example if you use some external lib, it's better to be able to pass custom path to lib executor in ENV.
P.S. You should never save config.json in SVN.
It seems that my workflow would be improved if I had some way to automatically manage my environment variables so I can have different sets load automatically depending on if the server is running locally or running on Heroku.
What are my choices? Heroku must be using something on their end, because there are variable like local.env.PORT. What are they using? I was thinking that maybe if I use the same thing it would be easier.
I believe you can use the Foreman ruby gem with Heroku even if you are deploying apps using Node.js.
Foreman allows you to specify different application configurations on your local and remote application servers. I use it to control and manage my workers, web instances on Heroku for my rails apps.
Here's a link to a Heroku page showing how to manage environment variables using foreman:
https://devcenter.heroku.com/articles/config-vars
You're looking for something like figaro which is quite useful. There is a node-figaro project inspired by figaro, but the docs are unclear on how to actually use the project to initialize environment variables.
I am building a Node.js application and need to store database credentials (and other runtime properties) in such a way that they can be read when deployed on Heroku. My source is available in a public GitHub repository.
I am currently using environment variables, configured using heroku config:add, but am looking to understand if there are any alternatives. I would potentially like to use Cloud9 IDE, but it does not currently support environment variables.
Another option is to store the parameters in a config. file, but I believe the file would need to be checked in to Git (and as such, be publicly available) in order to be pushed to Heroku.
Thanks for your help.
ENV vars are generally considered the way to go, and the way Heroku do it themselves for database_urls and the like.
As you and your app are the only people with access to the env vars, you're generally OK security wise.
Putting credentials in Git or similar is a bad idea as it's another place that needs to be secured.
The one way I know of to solve the problem for development using command-line arguments. These can be specified in your run/debug configuration. You can then access the parameters in process.argv. Of course this means that they will be stored in your Cloud9IDE dev environment. You could then use the ENV variables in a retail production. This will at least prevent the credentials from being visible in source or config files.