How to secure my NodeJS code - no plain password and no text file if possible

Question

I have the following NodeJS code where, I'm successfully using mssql module to execute a stored procedure. I'm using var config = { .., password: '....', ... } section where I'm defining the user and password.

How can I make the following code secure ie I don't hard code OR have any password in this file OR in any external file. Idea is to use an encrypted password to make the connection and then it'll execute the stored procedure.

I saw there's a module in NodeJS called crypto but I'm trying to see how I can plug that into my code to get rid of the real password (at least).

http://lollyrock.com/articles/nodejs-encryption/

If I use Environment variables and use those directly to populate the password variable, I saw some posts which says that even Environment variables can be exposed. Hardcoded mysql user and password in Node.js

Appreciate any help.

//This computerName is what we'll find in our mssql server to see
//if the server entry exist or not and the stored procedure will take this as a parameter.
var computerName = "some.fake.server.com";
var secProfile = "";

var sql = require('mssql');

var config = {
    user: 'dbuser',
    //I want to get rid of the following password line from this section.
    password: 'secure9ass',
    server: 'dbserver.domain.com',
    database: 'DBName',
    pool: {
        max: 10,
        min: 0,
        idleTimeoutMillis: 30000
    }
}

sql.connect(config).then(function(output) {
  // Stored Procedure
    new sql.Request()
    .input("ComputerName", sql.VarChar(100), computerName)
    .execute('dbo.getSysStatus_ByName').then(function(recordsets) {
    console.dir(recordsets);
  }).catch(function(err) {
        // ... error checks
    console.log('ERROR1::: ' + err)
    console.log("----")
    console.log(err)
    console.log("====")
    console.log(recordsets)
    console.log("----")
    console.log('ERROR2::: '+ sqlOutput);
    console.log('ERROR3::: '+ request.parameters.sqlOutput.value);
});
  console.log(output);
}).catch(function(err) {
  // ... error checks
  console.log('ERROR5::: '+ err);
});

Answer 1

Well to answer, if even environment variables can be exposed, the best method is probably to use readline . This is a built-in module in Node.js, what it does is similar to prompt() in Python. It will ask the user for an input. This way, there won't be any information leaks in files or in the code . However, the downside to using readline is that you have to enter the password manually every time, and that could be very annoying in the development process. So I suggest that before deployment, set the password to be hard-coded, and switch to a readline method later instead.

Example code:

const readline = require('readline');
const rl = readline.createInterface({input: process.stdin, output: process.stdout})
rl.question('Enter you password: ', answer => {
    // Authentication here
    rl.close()
})

Glad to answer your question.