如何保护我的 NodeJS 代码 - 如果可能,没有普通密码和文本文件
[英]How to secure my NodeJS code - no plain password and no text file if possible
问题描述
I have the following NodeJS code where, I'm successfully using mssql module to execute a stored procedure.
我有以下 NodeJS 代码,我成功地使用 mssql 模块执行存储过程。 I'm using var config = { .., password: '....', ... } section where I'm defining the user and password.我正在使用 var config = { .., password: '....', ... } 部分,我在其中定义用户和密码。
How can I make the following code secure ie I don't hard code OR have any password in this file OR in any external file.如何使以下代码安全,即我没有硬编码或在此文件或任何外部文件中没有任何密码。 Idea is to use an encrypted password to make the connection and then it'll execute the stored procedure.想法是使用加密的密码建立连接,然后执行存储过程。
I saw there's a module in NodeJS called crypto but I'm trying to see how I can plug that into my code to get rid of the real password (at least).我看到 NodeJS 中有一个名为 crypto 的模块,但我想看看如何将它插入我的代码中以摆脱真实密码(至少)。
http://lollyrock.com/articles/nodejs-encryption/ http://lollyrock.com/articles/nodejs-encryption/
If I use Environment variables and use those directly to populate the password variable, I saw some posts which says that even Environment variables can be exposed.如果我使用环境变量并直接使用它们来填充密码变量,我看到一些帖子说甚至可以公开环境变量。 Hardcoded mysql user and password in Node.js 在 Node.js 中硬编码 mysql 用户和密码
Appreciate any help.感谢任何帮助。
//This computerName is what we'll find in our mssql server to see
//if the server entry exist or not and the stored procedure will take this as a parameter.
var computerName = "some.fake.server.com";
var secProfile = "";
var sql = require('mssql');
var config = {
user: 'dbuser',
//I want to get rid of the following password line from this section.
password: 'secure9ass',
server: 'dbserver.domain.com',
database: 'DBName',
pool: {
max: 10,
min: 0,
idleTimeoutMillis: 30000
}
}
sql.connect(config).then(function(output) {
// Stored Procedure
new sql.Request()
.input("ComputerName", sql.VarChar(100), computerName)
.execute('dbo.getSysStatus_ByName').then(function(recordsets) {
console.dir(recordsets);
}).catch(function(err) {
// ... error checks
console.log('ERROR1::: ' + err)
console.log("----")
console.log(err)
console.log("====")
console.log(recordsets)
console.log("----")
console.log('ERROR2::: '+ sqlOutput);
console.log('ERROR3::: '+ request.parameters.sqlOutput.value);
});
console.log(output);
}).catch(function(err) {
// ... error checks
console.log('ERROR5::: '+ err);
});
1 个解决方案
解决方案1
0 2020-01-17 15:13:12
Well to answer, if even environment variables can be exposed, the best method is probably to use readline .好回答,如果甚至可以公开环境变量,最好的方法可能是使用readline 。 This is a built-in module in Node.js, what it does is similar to prompt() in Python.这是 Node.js 中的一个内置模块,它的作用类似于 Python 中的prompt() 。 It will ask the user for an input.它将要求用户输入。 This way, there won't be any information leaks in files or in the code .这样,文件或代码中不会有任何信息泄漏。 However, the downside to using readline is that you have to enter the password manually every time, and that could be very annoying in the development process.但是,使用 readline 的缺点是每次都必须手动输入密码,这在开发过程中可能会非常烦人。 So I suggest that before deployment, set the password to be hard-coded, and switch to a readline method later instead.所以我建议在部署前,将密码设置为硬编码,稍后改用readline方式。
Example code:示例代码:
const readline = require('readline');
const rl = readline.createInterface({input: process.stdin, output: process.stdout})
rl.question('Enter you password: ', answer => {
// Authentication here
rl.close()
})
Glad to answer your question.很高兴回答你的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.