Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
142 views
in Technique[技术] by (71.8m points)

javascript - Correctly hiding database credentials

As you may see, I have my db connection file and another "protected" file, where my credentials are, and this file is included in .gitignore. I import it and reach the data. Quite basic. Therefore my questions are:

  1. Is this the right way to do it?
  2. If not, how should I do it? Plus: how could I add extra security to my account,connection?
  3. Let's suppose I have a private collection, that no one should see, how could I protect specially this collection? I mean, with a password or a two step verification let's say.

Current code:

const mongoose = require("mongoose");
const mongoCredentials = require("../protected/mongoCredential");

const URI = `mongodb+srv://${mongoCredentials.username}:${mongoCredential.password}
              @firstcluster-eldi8.mongodb.net/culturapp?retryWrites=true&w=majority`;

mongoose.connect(URI, { useUnifiedTopology: true, useNewUrlParser: true })
  .then(db => console.log("MongoDB is connected"))
  .catch(err => console.log(">> ERROR: ",err));

module.exports = mongoose;
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

...I have my db connection file and another "protected" file, where my credentials are, and this file is included in .gitignore. I import it and reach the data..

The correct way to do it is to use envrironmental variables.

Use environmental variables

Environmental variables are set on the environment, i.e your local development machine or the remote production server. Then, within your app, you read the environment variables and use them appropriately.

There's (at least) a couple reasons it's usually done like this:

  • The credentials don't exist in a file that can be read by someone viewing the repository contents. Someone cloning the repository doesn't need to know your database credentials.
  • The credentials are likely different between environments. You are likely using a different database on your local development machine and a different database in your remote production server.

Here's how you set environment variables (this is for Linux, other OS's might be different):

$ export MONGO_DB_USERNAME=foo
$ export MONGO_DB_PASSWORD=bar

and here's how you read them within Node.js:

console.log(process.env.MONGO_DB_USERNAME) // logs 'foo'
console.log(process.env.MONGO_DB_PASSWORD) // logs 'bar'

or pass variables to the process when starting up

Alternatively, you can pass variables when starting up the process like so:

$ MONGO_DB_USERNAME=foo MONGO_DB_PASSWORD=bar node app.js

However that's generally discouraged since you're most probably starting your process through the npm start script. Since package.json, where the npm start command is defined, is always committed to the repository it defeats the whole purpose of hiding the credentials.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...