Source
When we are working on a project, mostly working on a server or back end for an application, we need to use credentials. Credentials to establish a connection to our databases, API keys, users and password, and the list goes on. For obvious security reasons, commit these changes to our repository, even when it's a private one, is never recommended because we are exposing our credentials in internet.
In this tutorial, we will learn how to use our credentials securely with the help of environment variables and the Javascript library dotenv.
Requirements
- An NodeJS / Express server.
- A repository for our project. Here we'll use GIT.
- NPM package manager.
Set up
We can create an Express application easily with the help of the Express application generator. Note: maybe you'll need sudo for the global installation, or not.
After installing this package globally with NPM, we can create our application with the following command:
This command will create a folder with the name we choose and create all the structure we need in order to run our Express application. As it says, we need to go into the folder and run npm install command to install all the dependencies we need to execute the server. There might be some warning we can just ignore.
Now, we need to install dotenv package via NPM.
And finally, we need to set up a repository for our project. As I said before, I'm going to use GIT.
Now we need to create an additional file that we will call index.js, where we'll set up the port where our application will listen the requests and also start our server.
If everything went as expected, we can now execute node index.js in our terminal and when we go to the address localhost:5000/ in our browser, you'll see the following:
Configuring dotenv
Now that everything's working, we can start to configure dotenv.
First, we need to create a file called .env in the root of our project. Here is where we are going to store all of our environment variables we need to used. In this file, we are going to store our variables like this VAR=VALUE.
We'll be working on the index route that we can find in ./routes/index.js. Here, we'll need to import or require dotenv package. We will use the views that our Express application created by default, but we can use our environment variables wherever we need them. I'm going to pass the content of my environment variables to the view via ES6 Template Strings, so they will be rendered in the title of index view. Also, I'm going to print them in the console, so everytime I access / in the browser, their content will be printed in the terminal. Remember that this is not the purpose of environment variables but only an explanation of the use of dotenv package.
After saving the changes, we restart our server in the terminal, and then we execute it again to see the changes. Now, we'll access http://localhost:5000/ again to see the changes.
And that's it. That's how we set up our custom environment variables and use them in our NodeJS / Express project.
Final Step: Securing our .env file
We just configure dotenv package to read our environment variables from the .env file. This will likely contain a lot of information that we don't want to share, or even commit in our repository. So, in order to keep our .env file away from our repository and our commits, we need to exclude it from our repository using a .gitignore file. Here, we will write all the names of the directories and files that we don't want to commit to our repository.
We simply need to create a file called .gitignore in the root of our project (or wherever our repository was initialized) and add the following content to avoid committing our .env file.
So, if we run the command git status in the terminal, we'll see that both .env file and /node_modules directory are not being listed.
So, that's it. We've just learned how to work securely with our environment variables and credentials.
All the screenshots were taken by me
Leave any comments, suggestions and questions in the comments section
Posted on Utopian.io - Rewarding Open Source Contributors