‘secrets.js’ contains the functionality needed to interact with privileged information associated with your project including (but not limited to) API keys, session keys, path to private keys/certificates and database urls. The purpose of this module is to prevent the accidental inclusion of this information in production source code where it could be disassembled and discovered by an attacker
The primary dependency in ‘secrets.js’ is a module called dotenv. You can read more about it here.
_spartan accesses privileged values required for the application via environment variables. It is assumed that, through use of the dotenv module, that all application environment variables are available and configured in a file called .env which you should create yourself . The .env file should be stored at the project root
BE SURE TO ADD THE .ENV FILE TO YOUR .GITIGNORE FILE
_spartan also assumes that your application’s secrets will be different for production vs other development environments (‘dev’, ‘uat’, ‘stage’, etc). If this, indeed, the case, you should create different .env files, named for each of your environments.
the .env file
# here's how your .env file may look
# API KEYS
SNYK_TOKEN=your snyk api token
# FIREBASE CREDS
FIREBASE_API_KEY='your firebase api key'
FIREBASE_AUTH_DOMAIN='your firebase auth domain'
FIREBASE_DB_URL='your firebase database url'
FIREBASE_PROJECT_ID='your firebase project id'
FIREBASE_STORAGE_BUCKET='your firebase storage bucket'
FIREBASE_SENDER_ID='your firebase sender id'
SERVICE_ACCOUNT='path to your firebase service account object file'
# CACHE SETTINGS
CACHE_PORT= Number (integer) representing the port you want to to listen on for caching database
REDIS_PORT=Number (integer) redis listening port. default is 6379
# DATABASE CONFIG
DB_CONNECTION='mongodb://database connection string => default is mongodb'
HASH_ROUNDS=Number (integer) for how many rounds you want to run for password hashing. The higher the number, the longer it will take
# ENVIRONMENT
NODE_ENV='defines your environment type. default is development, but you may also want to switch to stage, production, uat, etc'
# SESSION SECRETS/KEYS
SESSION_SECRET='session secret value. you can also use a prng to come up with this value on the fly in your code'
# APP SERVER SETTINGS
CERTIFICATE=path to your certificate file
PRIV_KEY=path to your key file
CERT_AUTH=path to your certificate authority if applicable
PORT=what port your application server is listening on (in development environment, node requires this be an ephemeral port)
| method name | description | params | returns |
|---|---|---|---|
| fetchSecret | fetches a secret from the .env file and returns the value back to the requesting application | variable to fetch String | the value matching the variable name |
The dotenv module actually loads the variables defined in the .env file into the native process.env object. Fetching a variable via ‘secrets.js’ is actually returning the value at process.env.[your variable name]. Your should load this value into a local variable where you can reference it as needed like this:
const [your variable name] = require(./secrets).fetchSecret('variable you want to fetch')
EXAMPLE
// fetching the application's listening port. if not found, just use port 8080
const port = require('./secrets').fetchSecret('PORT') || 8080
To preserve separation of concerns, you should refrain from loading secret values directly into your main app (e.g. ‘app.js’, ‘index.js’ ‘main.js’ etc). Fetch and reference these values only in the place where you intend to use them.