'Mongoose hide password in URI
With mongoose.connect('mongodb://username:password@host:port/database?options...');, which I use in a script, I don't suppose there is any real way to hide the password?
Should I even be concerned if the Mongodb is only listening on 127.0.0.1? If my server can get exploited then the can just cat that script to get the password.
Solution 1:[1]
You can put the password in a environment variable when launching node, or read it from a file not checked into source control. If mongodb is only listening on localhost, an attacker would not be able to connect directly to the database from a remote machine. It would still be advisable to configure your firewall to block remote access, just in case some configuration change opens mongodb up publicly.
Solution 2:[2]
Here may be one related topic Store db password as plain text in node.js
Solution 1:
Use an environment variable.
Run your app with
MONGO_PASSWORD=yourpasswd node appThen you can access it inside the app with
process.env.MONGO_PASSWORD
Solution 2:
Make a module (I call it "secrets") that exports all of your secret credentials. Don't check it into source control. Then, your app can just
require('secrets').
Solution 3:
Trousseau is an encrypted key-value store designed to be a simple, safe and trustworthy place for your data.
Solution 3:[3]
All the answers above are good suggestions, but they still leave the password visible on the host in a easy to figure out location...rather in shell env variable or a file.
What I decided to do is upon every server boot up, make a job that creates a file for the mongoose script to be read that has the password. Then, have a cron job that deletes the file after 5 minutes after boot up. That password still exists on the system, but it would be much harder to trace where.
Solution 4:[4]
You will create a .env file on your node file.Then you put your User name and Password just like this DB_USER=Your Username and DB_PASS=Your password. Then you will insert it to your index.js file by enter image description here
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | weiyin |
| Solution 2 | Community |
| Solution 3 | dman |
| Solution 4 | Shafin Ahmed |