Search code examples
reactjsexpresssecuritybackendtedious

Proper way to store and pass username and password to config for database connection?

I have just created my first React back-end using Express and Tedious. What is the proper way to store and/or pass in the Username and Password to connect to the database? Is the 'back-end' secure enough to have it in-line like this?

const express = require('express')
const app = express()

app.get('/dbCall', (req, res) => {
    var Connection = require('tedious').Connection;
    var Request = require('tedious').Request;
    var config = {
        "server": "localhost",
        "authentication": {
          "type": "default",
          "options": {
            "userName": "myUsername",
            "password": "myPassword"
          }
        },
        "options": {
          "port": 1533,
          "database": "myDB",
        }
      }
    ...
  }
Solution

  • One way to store your 'secret' data is to use the dotenv module.

    1. Install the module:

    npm install dotenv

    2. Create the ".env" file in your root directory (same directory as package.json)

    Content of your .env should look like this (yeah, it's just plain text):

    APP_SERVER=localhost
APP_USERNAME=myUsername
APP_PASSWORD=myPassword
APP_PORT=1533
APP_DATABASE=myDB

    3. Setup dotenv (You want to do this as early as possible in your application)

    // example where to put it
const express = require("express");
const app = express();

const dotenv = require("dotenv");
dotenv.config();

    4. Profit

    const express = require('express')
const app = express()

const dotenv = require("dotenv");
dotenv.config();

app.get('/dbCall', (req, res) => {
    var Connection = require('tedious').Connection;
    var Request = require('tedious').Request;
    var config = {
        "server": process.env.APP_SERVER,
        "authentication": {
          "type": "default",
          "options": {
            "userName": process.env.APP_USERNAME,
            "password": process.env.APP_PASSWORD
          }
        },
        "options": {
          "port": process.env.APP_PORT,
          "database": process.env.APP_DATABASE,
        }
      }
  }

    Note: If you're using git you have to put the ".env" file in your .gitignore and you might want to consider deleting previous commits if you've already pushed your secret data.

    EDIT: If you're using the database config object multiple times, I'd recommend putting your config in a separate file.

    1. create "databaseConfig.js" file
    module.exports = {
  server: process.env.APP_SERVER,
  authentication: {
    type: "default",
    options: {
      userName: process.env.APP_USERNAME,
      password: process.env.APP_PASSWORD
    }
  },
  options: {
    port: process.env.APP_PORT,
    database: process.env.APP_DATABASE
  }
}
    1. require "databaseConfig.js" in your code
    const config = require("path/to/databaseConfig.js");