All geek questions in one place

Best practice for web service credential management for Node.JS?

We are planning a secure Node.JS server that uses several third-party web services. For each of them, credentials are required, which must be configured by the operations team.

Obviously, they could just put them in the text in the configuration file.

Microsoft.NET offers the best option with DPAPI - see Credential Storage Best Practices. Is there a way to make this available through IISNode? Or is there another way to provide such credentials in a Node-JS configuration?

  • Charles
+5
source share
3 answers

Several options are discussed here in detail, including two suggested by xShirase:

http://pmuellr.blogspot.co.uk/2014/09/keeping-secrets-secret.html

Custom services solve the problem, but only for Cloud Foundry.

This blog http://encosia.com/using-nconf-and-azure-to-avoid-leaking-secrets-on-github/ indicates that you can often set environment variables separately on servers and suggests using nconf to read them and configuration files separately.

I'm still wondering if there are any special offers for IIS?

  • Charles
+3
source

There are 2 ways to do this safely:

First you need to use the command line options when starting the application.

These parameters are then located in process.argv

So node myapp.js username password will give you:

 process.argv[0]=node process.argv[1]=/.../myapp.js (absolute path) process.argv[2]=username process.argv[3]=password

Secondly, to set credentials as ENV variables. This is usually considered best practice, since only you have access to these variables.

You will need to set the variables using the export command, than you will get access to it in process.env

+1
source

Currently, I have to do the same for my external API credentials. this is what i did

  • install node-config module
  • create folder and config / config.js file
  • it requires a (config) module
  • In the local field, it reads the configuration from the local.json file
  • I have dummy values ​​in local.json for api key and shared secret.
  • in my QA environment, I export two variables NODE_ENV = "QA" and NODE_CONFIG_DIR = "path to my settings folder on qa server"
  • The node -config module reads the configuration from the "path to your /QA.json configuration folder"
  • I now have a real api key and credentials in QA.json
  • here you can use encryption to encrypt these values ​​and return it to QA.json
  • in your application, get these configuration values ​​and decrypt to use it in your vacation

hope this helps.

so that your config can live in the same container as node.

reference this for encryption and decryption http://lollyrock.com/articles/nodejs-encryption/

0
source

Source: https://habr.com/ru/post/1204344/

More articles:


All Articles