javascript - 正确隐藏MongoAtlas凭证(Correctly hidding MongoAtlas credentials)

Question

Pretty new to Nodejs and had already made public my credentials from another mongo account.

(对Nodejs来说还很新，并且已经从另一个mongo帐户公开了我的凭据。)

As you may see, I have my db connection file and another "protected" file, where my credentials are, and this file is included in .gitignore.

(如您所见，我有我的数据库连接文件和另一个“受保护的”文件，我的凭据在其中，并且此文件包含在.gitignore中。)

I import it and reach the data.

(我导入它并到达数据。)

Quite basic.

(很基本。)

Therefore my questions are:

(因此，我的问题是：)

1. Is this the right way to do it?

   (这是正确的方法吗？)

2. If not, how should I do it?

   (如果没有，我该怎么办？)

   Plus: how could I add extra security to my account,connection?

   (另外：如何为帐户和连接增加额外的安全性？)

3. Let's suppose I have a private collection, that no one should see, how could I protect specially this collection?

   (假设我有一个私人收藏，没人可以看到，我该如何特别保护这个收藏？)

   I mean, with a password or a two step verification let's say.

   (我的意思是说，用密码或两步验证。)

I would like to thank you for your patience and time, appreciate it.

(我要感谢您的耐心和时间，感谢您的耐心和时间。)

  ask by Nicolás Gómez translate from so

Answer 1

...I have my db connection file and another "protected" file, where my credentials are, and this file is included in .gitignore.

(...我有我的数据库连接文件和另一个“受保护的”文件，我的凭据在此处，并且此文件包含在.gitignore中。)

I import it and reach the data..

(我导入它并到达数据。)

The correct way to do it is to use envrironmental variables .

(正确的方法是使用环境变量 。)

Environmental variables are set on the environment, ie your local development machine or the remote production server.

(环境变量是在环境（即您的本地开发计算机或远程生产服务器）上设置的。)

Therefore they don't exist in a file that can be read by someone viewing the repository contents.

(因此，它们不存在于查看存储库内容的人可以读取的文件中。)

Then, within your app, you read the environment variables and use them appropriately.

(然后，在您的应用程序中，读取环境变量并适当地使用它们。)

Here's how you set environment variables (this is for Linux, other OS's might be different):

(设置环境变量的方法如下（这在Linux中，其他OS可能有所不同）：)

$ export MONGO_DB_USERNAME=foo
$ export MONGO_DB_PASSWORD=bar

and here's how you read them within Node.js:

(以下是在Node.js中阅读它们的方式：)

console.log(process.env.MONGO_DB_USERNAME) // logs 'foo'
console.log(process.env.MONGO_DB_PASSWORD) // logs 'bar'

Alternatively, you can pass environmental variables when starting up the process like so:

(另外，您可以在启动过程时传递环境变量，如下所示：)

$ MONGO_DB_USERNAME=foo MONGO_DB_PASSWORD=bar node app.js

However that's generally discouraged since you're most probably starting your process through the npm start script .

(但是，通常不建议这样做，因为您很可能要通过npm start script启动进程。)

Since package.json , where the npm start command is defined, is always committed to the repository it defeats the whole purpose of hiding the credentials.

(由于定义了npm start命令的package.json始终提交到存储库，因此无法实现隐藏凭据的整个目的。)