Setting environment variables on local machine in production

Question

When running an Express app in production on your local machine, how should you handle setting environment variables?

I am using the config package. In development, I use this config file - development.json :

{
    "mongoURI": "myMongoConnectionStringWithUsernameAndPassword",
    "apiKey": "mySuperSecretSuperSecret"
}

In production, as I understand it, one is not supposed to store such sensitive data in a file. As I understand it, the reason is that if such a file was checked into version control, everyone could access the sensitive information contained in it (if there are other reasons, please elaborate). Hence in production, my config file looks like this - production.json :

{
    "mongoURI": "",
    "apiKey": ""
}

In addition, I use the file custom-environment-variables.json to map environment variables to config values. These environment variables can then conveniently be set on the production server, using eg the Heroku Dashboard, which allows them to be used by the Express app.

{
    "mongoURI": "db_uri"
    "apiKey": "api_key"
}

However, on my local machine, I am not aware of a convenient way to easily set and update those environment variables.

I thought about setting them via the start script that runs my app in production in package.json , but then I'd have them in a file again, which would be the same issue as storing them in production.json as explained above.

How is this done in practice? On my local machine, do I manually have to set all environment variables on the terminal every time I want to run my app in production? Is there a better way?

Update: There is the suggestion to gitignore the production configuration file. But then how do other team members run the app on their machines, if they do not have the configuration file? That's what I don't get about this, it seems like one is not supposed to store those config values in a file or on GitHub, yet they need to be shared between developers to run the app? How do teams do this in practice?

Answer 1

You can use dotenv for do this!

Answer 2

This question seems specific to the config package.

In that context it was thought that encrypting secrets is a good idea:

https://github.com/lorenwest/node-config/wiki/Securing-Production-Config-Files

If you were not using config then using environment variables is a very common pattern for storing sensitive data:

https://nodejs.dev/how-to-read-environment-variables-from-nodejs

---

Last some food for doubt: running production on your local machine? It does not seem like something you'd want to do at all. You'd potentially be making changes to a production data store.

Answer 3

Hope convict npm package solves your problem stated here. Since it allows to set default values for configuration properties in a file and the same can be overridden by environment variables on higher environment. Validation can be enforced on configuration to avoid human error.

Additionally setting a property as sensitive type makes sensitive value doesn't get printed in terminal or log files.

Answer 4

Node.js offers for you setting up environment variables through CLI,

The process.env property returns an object containing the user environment

so you can set your config before the start command like this "mongoURI=xxxx npm start " and this is the easy way,