With mongoose.connect('mongodb://username:password#host:port/database?options...');, which I use in a script, I don't suppose there is any real way to hide the password?
Should I even be concerned if the Mongodb is only listening on 127.0.0.1? If my server can get exploited then the can just cat that script to get the password.
You can put the password in a environment variable when launching node, or read it from a file not checked into source control. If mongodb is only listening on localhost, an attacker would not be able to connect directly to the database from a remote machine. It would still be advisable to configure your firewall to block remote access, just in case some configuration change opens mongodb up publicly.
Here may be one related topic Store db password as plain text in node.js
Solution 1:
Use an environment variable.
Run your app with MONGO_PASSWORD=yourpasswd node app
Then you can access it inside the app with process.env.MONGO_PASSWORD
Solution 2:
Make a module (I call it "secrets") that exports all of your secret credentials. Don't check it into source control. Then, your app can just require('secrets').
Solution 3:
Trousseau is an encrypted key-value store designed to be a simple, safe and trustworthy place for your data.
All the answers above are good suggestions, but they still leave the password visible on the host in a easy to figure out location...rather in shell env variable or a file.
What I decided to do is upon every server boot up, make a job that creates a file for the mongoose script to be read that has the password. Then, have a cron job that deletes the file after 5 minutes after boot up. That password still exists on the system, but it would be much harder to trace where.
You will create a .env file on your node file.Then you put your User name and Password just like this DB_USER=Your Username and DB_PASS=Your password.
Then you will insert it to your index.js file by enter image description here
Related
I have a working APEX installation, running ORDS in standalone mode, with several applications in use.
I have enabled my schema for ORDS and installed the sample service.
However, when I try to test the https:///ords/rest/hr/employees/ service, I get a 404.
I've tried:
Another schema within the installation, and it doesn't work there either.
Resetting the sample service. Nada.
De-registering and re-registering the schema under a different alias and installing the sample service again. Zip
Why this isn't working?
After much research and trials, I've found the answer:
TLDR: the password for the ORDS_PUBLIC_USER has expired
I found this article that talks about this problem, from which I was able to figure things out.
Apparently, by default, passwords expire after 180 days (of non-logging in?) and the corresponding account is locked. This seems to have no effect on the general operation of ORDS or APEX, since our production environment has been running without a problem for over a year.
The article recommends resetting the passwords of the following system accounts.
APEX_PUBLIC_USER
APEX_LISTENER
APEX_REST_PUBLIC_USER
ORDS_PUBLIC_USER
However, upon running
select * from dba_users where username like 'APEX%'
I could see that only the ORDS_PUBLIC_USER account was locked, so I only dealt with that one.
The article said to use the original passwords from when ORDS was installed, but upon inquiring what that was, I thought it too unsafe, so I decided to change it. That meant two things:
Resetting the users database password with
alter user ORDS_PUBLIC_USER identified by password account unlock;
( change password to your desired password )
Change the password in the corresponding password file, which can be found at a path similar to /ords19/prod/ords/conf/apex_pu.xml and looks like this.
Replace the value of the db.username entry with an exclamation mark, followed by the plaintext password of your choice, and save the file. Thus, if you wanted to use the password foobar, you'd put !foobar. (Don't worry: When ORDS restarts and reads the file, it encrypts the password and writes the encrypted version back to the file so no one snooping around in your filesystem can get at it.)
After I did all this, I restarted ORDS, and voila! My REST sample service now returns data as intended! Thank you Internet.
When I'm connecting to database in node, I have to add db name, username, password etc. If I'm right every user can access js file, when he knows address. So... how it works? Is it safe?
Node.js server side source files should never be accessible to end-users.
In frameworks like Express the convention is that requests for static assets are handled by the static middleware which serves files only from a specific folder in your solution. Explicit requests for other source files that exists in your code base are thus ignored (404 is passed down the pipeline).
Consult
https://expressjs.com/en/starter/static-files.html
for more details.
Although there are other possible options to further limit the visibility of sensitive data, note that anyone on admin rights who gets the access to your server, would of course be able to retrieve the data (and this is perfectly acceptable).
I am assuming from the question that the DB and Node are on the same server. I am also assuming you have created either a JSON or env file or a function which picks up your DB parameters.
The one server = everything (code+DB) is not the best setup in the world. However, if you are limited to it, then it depends on the DB you are using. Mongo Community Edition will allow you to set up limited security protocols, such as creating users within the DB itself. This contains a {username password rights} combination which grants scaled rights based upon the type of user you set up. This is not foolproof but it is something of protection even if someone gets a hold of your DB parameters. If you are using a more extended version of MongoDB then this question would be superfluous. As to other DB's you need to consult the documentation.
However, all that being said, you should really have a DB set up behind a public server and only allow SSH into it, with an open port to receive information from your program. As the one server = everthing format is not safe in the end run, though it is fine for development.
If you are using MongoDB, you may want to take a look at Mongoose coupled with Mongoose Encryption. I personally do not use them but it may solve your problem in the short run.
If your DB is MySQL etc. then I suggest you look at the documentation.
i want to save the user's IP when he connects to it's home folder, this is because i'm a user in a server where my team has a folder where our public_html is located, but we use the same account, so i just want to register who connected.
So i want to make a script that triggers when a connection is made and save the user's IP into a hidden file.
But i don't know if i could leave running a script in background to do it, and How?
If you're a root on that machine, you can simply check the auth log / messages / journal / ... (depends on the distribution). By default sshd logs all you need already.
If you're not a root, then you'll have to keep in mind this will never be secure. You can do this in the user's bash profile, but:
Since it's running as the same user, whoever logs in can just change the file (you can't hide it)
Anyone can workaround the script by executing some other command instead of the shell (for example ssh user#host /some/command will not be logged)
It's not secret.
If that's ok with you, then you just need to add this to bashrc
echo "new connection at $(date) from ${SSH_CLIENT}" >> ~/your_connection_log
Different solution, which should've been the default actually. Most distributions provide login history which you can request for your account without root privileges.
Running last your_username should give you the details of last few logins which cannot be manipulated by the user. (the log can possibly be spammed with entries however)
Im trying to configure Xampp as I have done before and everything use to work.
Now, I am a bit concerned because even though I have set a password for my PhpMyadmin(exactly as I have done in the past), the system doesn't ask me to log in at anytime. What has changed?
Before I had to log in with username "root" and password and now it doesn't ask for it?
With phpMyAdmin, there are different means of authenticating ("auth_types"). These are generally set in the configuration file, config.inc.php, using a line like $cfg['Servers'][$i]['auth_type'] = 'cookie';.
Using cookie or http prompt the user for username and password when connecting; config means it's hardcoded in to the configuration file and you're automatically connected. The default in the official phpMyAdmin distribution is cookie, however it sounds like XAMPP makes it config. You should be able to change that simply by editing the config.inc.php file and changing (or adding) the line mentioned above..
In Jdeveloper, what happen if I remove cwallet.sso? what is this for?
I read that it stores security credentials, but I removed it and my secure pages still asked me to login and I was able to log in using the users that I have in jazn-data.xml and the users that I have in my weblogic server.
It's not used for that, and if you are defining the database connection on weblogic server you should not need it, but in development time when you define database connection, or any connection that has password for that matter the cwallet.sso is the one that save and hash this password so that when you copy the project to another person it still works fine.