stackoom
  简体   繁体   中英

Best practice for managing web service credentials for Node.JS?

 原文  2014-10-09 15:25:51       node.js/ credentials

Question

We're planning a secure Node.JS server, which uses several third-party web services. Each requires credentials that will need to be configured by the operations team.

Clearly they could simply put them in plain text in a configuration file.

Microsoft .NET seems to offer a better option with DPAPI - see Credential storage best practices . Is there a way to make this available through IISNode? Or is there any other option to secure such credentials within Node-JS configuration?

  • Charles

3 answers

solution1
 4  2014-10-13 11:12:00

There's an extensive discussion of several options here, including the two suggested by xShirase:

http://pmuellr.blogspot.co.uk/2014/09/keeping-secrets-secret.html

User-defined services solves the problem, but only for Cloud Foundry.

This blog http://encosia.com/using-nconf-and-azure-to-avoid-leaking-secrets-on-github/ points out that you can often set environment variables separately on servers, and suggests using nconf to read them and config files separately.

I still wonder if there are specials for IIS?

  • Charles

solution2
 2  2014-10-09 16:52:11

There is 2 ways to do it securely :

First one is to use command line parameters when you launch your app.

These parameters are then found in process.argv

So, node myapp.js username password would give you : 

process.argv[0]=node
process.argv[1]=/.../myapp.js (absolute path)
process.argv[2]=username 
process.argv[3]=password

Second is to set the credentials as ENV variables. It is generally considered as the best practice as only you have access to these variables.

You would have to set the variables using the export command, than you'd access it in process.env

solution3
 1  2015-02-06 17:37:24

I currently had to do the exact same thing for my External API credentials. this is what i did

  • install node-config module
  • create a folder and file called config/config.js
  • here require(config) module
  • In local box it reads the configuation from local.json file
  • i have dummy values in local.json for api key and shared secret
  • on my QA environment i export two variables NODE_ENV="QA" and NODE_CONFIG_DIR="path to my configuation folder on qa server"
  • node-config module reads configuation from "path to your config folder / QA.json"
  • now i have real api key and credential in QA.json
  • here you can use an encryption to encrypt these values and put it back in QA.json
  • in your app get these config values and decrypt use it in your rest call

hope this helps.

so your config can live in the same container as node code.

refer to this for encryption and decryption http://lollyrock.com/articles/nodejs-encryption/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Node.js API architecture best practice: controller vs service Node.js - Functions with same name in controller and service, best practice? Node.js Best Practice Exception Handling Best practice with Nginx + node.js best practice for module patterns in node.js Heroku best practice clocks with node.js Best practice beanstalkd (queue) and node.js What is Node.js cluster best practice? Node.js best practice for require what is best solution for managing heap size for node.js
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM