I'm connecting to a few APIs and using basic authentication like so:
this.jenkins = jenkinsapi.init('https://USERNAME:[email protected]:8080', {strictSSL: false});
I'm concerned about just having the user's password just sitting there in a variable or plain text. It is inside a 'private' method but if anybody is able to view the source on the server they would be able to view the username and password.
How can I make this more secure while still using http basic auth?
Take a look at Environment Variables. These are available in Node.js.
process.env.ENV_VARIABLE
Where ENV_VARIABLE is something defined in your system running the application. For isntance, in my Node.js application running on Heroku, and hosted publically on Github, I'm using process.env.MONGOLAB_URI instead of the SQL-type string containing the database name, username, and password. I have this automatically configured because of Heroku, but I'm able to also set the variable locally in my OS (Windows in this case) so that the code will run locally, as well.
Also check out this answer about using Environment variables with Jenkins.