Where should I store secret strings on Node server?

Question

Well, I've come with a problem. How can I store passwords, db url and important strings that should not go to my public version control?

I've come up with 3 solutions. The first works only on dev:

var config = require('./config');
var port = config.serverPort;

config.js

module.exports = {
  'serverPort' : '8182'
}

The second one should work both on dev and prod. But the config.js file was added on the .gitignore file, so it won't be upload to the server. When the server tries to require config.js and can't find it, it will throw an error.

var config = require('./config');
var port = process.env.PORT || config.serverPort;

The third is to use only process.env variables, but this only works on production. And, if I'm testing on local machine, I may need to paste my secret strings and remember to remove it before sending to the public version control.

So, what should I do?

Answer 1

The common solution is to add a config.js.example file to version control (that contains empty/dummy values to document what's available).

Then you add config.js to .gitignore (or whatever suits your VCS).

To run your application you simply copy config.js.example to config.js and put in the proper values.

Of course the path to config.js can be taken from an environment variable to allow easily using different configs - but still, you wouldn't put the actual config files under version control (unless you have a separate private repo for config files etc)

It does make sense to always require a config file to exist. Even in development. While the default settings may be suitable, chances are good that many developers on your application want to configure things anyway or simply test things with non-default values.