Node.js sensitive information in javascript file? - javascript

Is it safe to contain sensitive information such as database connection details on a JavaScript file running on a Node.js server ?
For instance:
var mysql = require('db-mysql');
new mysql.Database({
hostname: 'localhost',
user: 'user',
password: 'password',
database: 'test'
}).on('error', function(error) {
console.log('ERROR: ' + error);
}).on('ready', function(server) {
console.log('Connected to ' + server.hostname + ' (' + server.version + ')');
}).connect();
Since JavaScript file is a client-side file, is this information can't be seen through the client on a typical browser using the developer tool ?

Since you're executing the script server-side, this same code is not viewable on the client-side. Think of it along the same lines as a PHP script or similar. However as already pointed out, if you place your script inside a publicly accessible directory, then people could see the code.
A couple of alternatives to placing your credentials directly inside your script could be to move your credentials securely (e.g. with appropriate file/user permissions) to a file in some other directory that your script reads from or get your credentials from the environment like:
# DB_USER=foo DB_PASS=bar node myscript.js
Then inside your script:
new mysql.Database({
hostname: 'localhost',
user: process.env.DB_USER,
password: process.env.DB_PASS,
database: 'test'
// ...

Yes, it's safe to do that. Client will have only access to what you will send to him from your application. This is not client-side file, it's node.js and your application server-side file. Remember to NOT include this file with other JS files like jquery etc which you will send to your clients.

Although it is safe, but what If directory browsing is enabled on server ?

Related

How to connect a frontend application on a different port with a backend?

I put my frontend application in the public folder for a node.js application and am getting the form-data using the following request:
try {
await axios.post("/api/v1/contact-form", {
name,
email,
msg,
});
}
My backend is in port 5000 and it's handling the request by:
app.use("/api/v1/contact-form", submitFormRouter);
It works perfect. I'm getting the data when I have my frontend application is in the node.js public folder.
My question is if my frontend is running on a different local port such as, if I use "Five server" to run the frontend application, how do I replace the following path for post:
Frontend:
try {
await axios.post("/api/v1/contact-form", {
name,
email,
msg,
});
}
Backend:
app.use("/api/v1/contact-form", submitFormRouter)
I've also tried the code using React in which case the frontend is running in http://localhost:3000/ and node.js server running in 5000, the code still works and I'm getting the form data. But, how do I make it work for a frontend application sitting in a different port(without react)?
Additionally, I hope you're kind enough to answer the following question- What would be the path once I have the frontend let's say on Netlify whereas the backend is on Heroku?
What would be the path once I have the frontend let's say on Netlify whereas the backend is on Heroku?
Let's assume your Back on Heroku has this url https://app.herokuapp.com/ and the Front on Netlify this one https://app.netlify.com/. All you have to do is to give your Front your Back's url, like so:
try {
await axios.post("https://app.herokuapp.com/api/v1/contact-form", {
name,
email,
msg,
});
}
My question is if my frontend is running on a different local port such as, if I use "Five server" to run the frontend application, how do I...
At this point you have two choices, the simplest one is to use a complete url like above. Let's assume your Front is on port 3000 and the Back on 8080. All you have to do again is:
try {
await axios.post("http://localhost:8080/api/v1/contact-form", {
name,
email,
msg,
});
}
The second one is to use a proxy, and this really depends on your projects' structure and need.

Node.JS MySql Module - Cannot Connect to Any Database - ECONNRESET

I'm trying to use the mysql module to connect to my database. But everytime, I get the following error: read eCONNRESET There is problem. (Note, that last part is from my console log. See below.)
I don't think this is a problem with database security settings. I've been trying to connect to my new database (hosted on AWS) for the last several days with no luck. Then, just now I attempted to connect to an Azure database that has been running smoothly for a couple years. Same problem: read eCONNRESET.
By the way, if I randomly change the host string to something invalid, my code returns an error saying the host wasn't found. So that tells me it's working to some extent.
I'm very new to the coding world and need all the help I can get.
Here's my code:
console.log('starting Launch');
var mysql = require('mysql');
var connection = mysql.createConnection({
host : '....windows.net',
user : 'test',
password : 'test',
port : '1433'
})
console.log('step2')
connection.connect(function (err) {
if (!err)
console.log("conncetd");
else
console.log(err + "There is problem");
});
Copy full error message.
Check connectivity to your DB instance, use nmap (linux) or telnet (windows). If you can't reach host - check your local machine and server firewall, restrictions. If you can, go to 2.
Try to use different MySQL client, MySQL WorkBench, HeidiSQL, DBeaver.
If you can't - than something wrong with MySQL configuration. If you can, go to 3.
Copy info about: OS, node version, mysql module version.
you could try
mysql.createPool({});
instead of
mysql.createConnection({})

Meteor mail not sending despite setting MAIL_URL environment variable

I'm getting this error message in the terminal "Mail not sent; to enable sending, set the MAIL_URL environment variable." despite setting MAIL_URL environment variable. After this message the whole mail content html gets dumped in the terminal. I'm using 2 meteor packages for sending email: yogiben:pretty-emails and email with mailgun api service.
Here's the source code for the mail config and sending email:
if Meteor.isServer
Meteor.startup ->
process.env.MAIL_URL = 'smtp://sandboxid.mailgun.org:mypassword#smtp.mailgun.org:587'
return
PrettyEmail.options =
from: 'primaryemail#gmail.com'
siteName: 'Meteor Test'
companyAddress: 'sdfsf, gdfg-df'
companyName: 'Code to Create'
companyUrl: 'http://example.com'
Accounts.sendVerificationEmail ->
Meteor.userId()
This file is kept inside Project_Directory/both/_config directory. I'm currently developing this app on local ubuntu server.
I think the call to sendVerificationEmail should be:
Accounts.sendVerificationEmail Meteor.userId()
as per the docs at http://docs.meteor.com/#/full/accounts_sendverificationemail
If that code is the exact code you're using, then you may be having issues because of the order in which each piece of code runs (callbacks run asynchronously). The startup callback will run after PrettyEmail.options and Accounts.sendVerificationEmail
If you indent those two sections as follows it should work as expected:
if Meteor.isServer
Meteor.startup ->
process.env.MAIL_URL = 'smtp://sandboxid.mailgun.org:mypassword#smtp.mailgun.org:587'
PrettyEmail.options =
from: 'primaryemail#gmail.com'
siteName: 'Meteor Test'
companyAddress: 'sdfsf, gdfg-df'
companyName: 'Code to Create'
companyUrl: 'http://example.com'
Accounts.sendVerificationEmail Meteor.userId()
Failing that it may also be worth setting MAIL_URL before running the app, for example:
MAIL_URL="smtp://sandboxid.mailgun.org:mypassword#smtp.mailgun.org:587" meteor
EDIT:
Your example code is not secure: If you are keeping this code in the 'both' directory, then anyone accessing your website will be able to see your mailgun credentials. You should put server code in the 'server' directory or at the very least set the MAIL_URL outside of your code as shown above.
I came across the same error. The trick was to not include the MAIL_URL in the application, but in the terminal where you run meteor itself.
Use the following command to run meteor:
MAIL_URL="smtp://postmaster#sandbox****.mailgun.org:XXXX#smtp.mailgun.org:587" meteor
I tried this on Ubuntu Terminal, hence should work on Mac as well.

Meteor SMTP Credentials viewable in source code on deployed application

I have built an application and added my SMTP credentials like this (in the server code block):
Meteor.startup(function () {
smtp = {
username: 'username#emails.com',
password: 'lkajflkadjakdlfj',
server: 'smtp.emails.com',
port: 587
}
process.env.MAIL_URL = 'smtp://' + encodeURIComponent(smtp.username) + ':' + encodeURIComponent(smtp.password) + '#' + encodeURIComponent(smtp.server) + ':' + smtp.port;
});
This works, and is sending just fine. But my credentials are available to anyone just be reading the source code of my deployed application.
Is there somewhere else I should be storing these credentials? Or another method entirely of setting this up?
Try to avoid hardcoding environment variables in your code in general, there are several other options available to you.
You could use Meteor.settings to store your private credentials :
private/settings.json
{
"MAIL_URL": "smtp://smtp://postmaster%40mg.domain.com:password#smtp.mailgun.org:587"
}
server/config.js
process.env.MAIL_URL = Meteor.settings.MAIL_URL;
Don't forget to feed your app with meteor settings :
Local development workflow :
meteor --settings private/settings.json
Deploying to Meteor servers :
meteor deploy myapp.meteor.com --settings private/settings.json
Another option is to use mup (Meteor Up) which provides a config file named mup.json where you can store your credentials as env variable, which is very handy.
mup.json
"env": {
"MAIL_URL": "..."
}
Last but not least, if you're using version control, don't forget to .gitignore your settings !
.gitignore
private/settings.json
mup.json
From the Meteor documentation (http://docs.meteor.com/#/full/structuringyourapp):
Any directory named server is not loaded on the client. Similar to
wrapping your code in if (Meteor.isServer) { ... }, except the client
never even receives the code. Any sensitive code that you don't want
served to the client, such as code containing passwords or
authentication mechanisms, should be kept in the server directory.

Finding MongoDB details after hosting on Ubuntu

I'm completely new to setting up servers, MongoDB, and still a little new to Javascript.
I'm trying to upload a Deployd server onto an online server. There is limited information on this, so at the moment, I set up a simple AWS Ubuntu server by doing the following tutorials:
http://zenborgium.blogspot.com/2012/12/how-to-setup-deployd-on-ubuntu-server.html
http://terraltech.com/how-to-setup-deployd-on-ubuntu-server/
However, I'm stuck at creating the production.js. There's a guide on it here. I'm specifically stuck at this line of code:
var server = deployd({
port: process.env.PORT || 5000,
env: 'production',
db: {
host: 'my.production.mongo.host',
port: 27105,
name: 'my-db',
credentials: {
username: 'username',
password: 'password'
}
}
});
server.listen();
Where do I find the host, port, name, and credentials that I should use from MongoDB? The tutorials say I need to use my own data, but I don't know where or how to find them.
First of all, you have to have MongoDB installed. I haven't used Deployd myself, but I will give you some information regarding the config file.
If you are running Mongo on the same ubuntu server as your application, you can use localhost to connect.
Default Mongo install runs on port 27017, in other words localhost:27017.
The 'name' parameter is just a name you give your database. So here you can put whatever you want, ex my-db.
With a clean Mongo install, you don't need any credentials. You have to set that up yourself if you want. I suppose leaving them out of the config file is ok, if not needed.
Your config file should therefor look something like this:
var server = deployd({
port: process.env.PORT || 5000,
env: 'production',
db: {
host: 'localhost',
port: 27017,
name: 'my-db'
}
});
update
I had a quick look at the tutorial you linked to. In one of the tutorials they created a user for mongodb. If you followed this step, you need to put that login information into you connect-object under credentials.
update 2
To get information about your mongodb install, check this SO post

Categories

Resources