Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best practice for managing web service credentials for Node.JS?

We're planning a secure Node.JS server, which uses several third-party web services. Each requires credentials that will need to be configured by the operations team.

Clearly they could simply put them in plain text in a configuration file.

Microsoft .NET seems to offer a better option with DPAPI - see Credential storage best practices. Is there a way to make this available through IISNode? Or is there any other option to secure such credentials within Node-JS configuration?

  • Charles
like image 726
CharlesW Avatar asked Oct 09 '14 15:10

CharlesW


2 Answers

There's an extensive discussion of several options here, including the two suggested by xShirase:

http://pmuellr.blogspot.co.uk/2014/09/keeping-secrets-secret.html

User-defined services solves the problem, but only for Cloud Foundry.

This blog http://encosia.com/using-nconf-and-azure-to-avoid-leaking-secrets-on-github/ points out that you can often set environment variables separately on servers, and suggests using nconf to read them and config files separately.

I still wonder if there are specials for IIS?

  • Charles
like image 105
CharlesW Avatar answered Sep 18 '22 13:09

CharlesW


There is 2 ways to do it securely :

First one is to use command line parameters when you launch your app.

These parameters are then found in process.argv

So, node myapp.js username password would give you :

process.argv[0]=node
process.argv[1]=/.../myapp.js (absolute path)
process.argv[2]=username 
process.argv[3]=password 

Second is to set the credentials as ENV variables. It is generally considered as the best practice as only you have access to these variables.

You would have to set the variables using the export command, than you'd access it in process.env

like image 41
xShirase Avatar answered Sep 21 '22 13:09

xShirase