Make Node server.js file safer by removing security information

Question

I have a public git[hub] project, and am now ready to switch it from development to production. We are in the research field, so we like to share our code too!

I have a server.js file that we start with node server.js like most tutorials.
In it, there is connection information for the SQL server, and the location of the HTTPS certificates. It looks something like this:

var https = require('https');
var express = require('express');
var ... = require('...');
var fs = require('fs');
var app = express();

var Sequelize = require('sequelize'),
                        // ('database', 'username', 'password');
  sequelize = new Sequelize('db',       'uname',    'pwd', {
    logging: function () {}, 
    dialect: 'mysql',
    …
  });
…
var secureServer = https.createServer({
    key: fs.readFileSync('./location/to/server.key'),
    cert: fs.readFileSync('./location/to/server.crt'),
    ca: fs.readFileSync('./location/to/ca.crt'),
    requestCert: true,
    rejectUnauthorized: false
}, app).listen('8443', function() {
    var port = secureServer.address().port;
    console.log('Secure Express server listening at localhost:%s', port);
});

In PHP you can have the connection information in another file, then import the files (and therefore variables) into scope to use. Is this possible for the SQL connection (db, uname, pwd) and the file locations of the certs (just to be safe) so that we can commit the server.js file to git and ignore/not follow the secret file?

Answer 1

You can do this in a lot of different ways. One would be to use environment variables like MYSQL_USER=foo MYSQL_PASSWD=bar node server.js and then use process.env.MYSQL_USER in the code.

You can also read from files as you have suggested. You can do require("config.json") and node will automatically parse and import the JSON as JavaScript constructs. You can then .gitignore config.json and perhaps provide an example.config.json.

If you want to support both of these at once there is at least one library that allows you to do this simply: nconf.

Answer 2

You can always just store the configuration information in a JSON file. Node natively supports JSON files. You can simply require it:

var conf = require('myconfig.json');

var key = fs.readFileSync(conf.ssl_keyfile);

There are also 3rd party libraries for managing JSON config files that add various features. I personally like config.json because it allows you to publish a sample config file with empty values then, without modifying the sample config file, you can override those values using a .local.json file. It makes it easier to deal with config files in repos and also makes it easier to publish changes to the config file.