Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

NodeJS - how to securely store ip, username and password of a database?

I have a NODEJS code to connect to MySql database:

var mysql = require('mysql')
var express = require('express')
var app = express()

var connection = mysql.createPool({
    connectionLimit: 50,
    host     : 'ip',
    user     : 'username',
    password : 'pass',
    database : 'mydb'
});


app.get('/', function(req, resp) {
    connection.getConnection(function(error, tempCont) {
        if(!!error) {
            tempCont.release();
            console.log('Error');
        } else {
            console.log('Connected!');

            tempCont.query("select * from table", function(error, rows, fields) {
                tempCont.release();
                if(!!error) {
                    console.log('Error in the query');
                } else {
                    resp.json(rows);
                }
            });
        }
    })
})

console.log("listening requests...")
app.listen(1337);

How do I secure a ip, username and password used for connecting to a database so that is not visible in the code or configuration file?

like image 913
Joe Avatar asked Sep 30 '18 18:09

Joe


2 Answers

Install env module by : npm install --save dotenv

Create .env file at root folder and write down the code

DB_CONLIMIT=50
DB_HOST=ip
DB_USER=username
DB_PASSWORD=pass
DB_DATABASE=mydb

In your js file

var mysql = require('mysql');
var express = require('express');
var app = express();
const dotenv = require('dotenv').config();

var connection = mysql.createPool({

     connectionLimit : process.env.DB_CONLIMIT,
     host            : process.env.DB_HOST,
     user            : process.env.DB_USER ,
     password        : process.env.DB_PASSWORD ,
     database        : process.env.DB_DATABASE 
});
like image 120
Anil Gupta Avatar answered Nov 16 '22 00:11

Anil Gupta


You should be configuring your systems so that your service runs as its own user with its own protected files. This offers some protection so that even if another service is compromised, the intruding user's access is isolated from other components of your system. Don't run things as root.

As for how secrets are stored and accessed, that's up to you. You can have a configuration file if you want. Another option is to use environment variables. Ultimately; however, your secrets are going to have to be stored in plaintext somewhere for your system to read and use.

Another method worth mentioning is you could possibly separate your secrets from your applications by having a dedicated secrets service. All your applications would have to know about this service and from there they could request the secrets they need for their regular operation. This has the obvious caveat of all your applications depend on the secrets service on start up - if that goes down your applications won't be able to start or restart.

like image 40
jakedipity Avatar answered Nov 15 '22 23:11

jakedipity