...I have my db connection file and another "protected" file, where my credentials are, and this file is included in .gitignore.
(...我有我的数据库连接文件和另一个“受保护的”文件,我的凭据在此处,并且此文件包含在.gitignore中。)
I import it and reach the data..(我导入它并到达数据。)
The correct way to do it is to use envrironmental variables .
(正确的方法是使用环境变量 。)
Environmental variables are set on the environment, ie your local development machine or the remote production server.
(环境变量是在环境(即您的本地开发计算机或远程生产服务器)上设置的。)
Therefore they don't exist in a file that can be read by someone viewing the repository contents.(因此,它们不存在于查看存储库内容的人可以读取的文件中。)
Then, within your app, you read the environment variables and use them appropriately.
(然后,在您的应用程序中,读取环境变量并适当地使用它们。)
Here's how you set environment variables (this is for Linux, other OS's might be different):
(设置环境变量的方法如下(这在Linux中,其他OS可能有所不同):)
$ export MONGO_DB_USERNAME=foo
$ export MONGO_DB_PASSWORD=bar
and here's how you read them within Node.js:
(以下是在Node.js中阅读它们的方式:)
console.log(process.env.MONGO_DB_USERNAME) // logs 'foo'
console.log(process.env.MONGO_DB_PASSWORD) // logs 'bar'
Alternatively, you can pass environmental variables when starting up the process like so:
(另外,您可以在启动过程时传递环境变量,如下所示:)
$ MONGO_DB_USERNAME=foo MONGO_DB_PASSWORD=bar node app.js
However that's generally discouraged since you're most probably starting your process through the npm start script .
(但是,通常不建议这样做,因为您很可能要通过npm start script启动进程。)
Since package.json
, where the npm start
command is defined, is always committed to the repository it defeats the whole purpose of hiding the credentials.(由于定义了npm start
命令的package.json
始终提交到存储库,因此无法实现隐藏凭据的整个目的。)
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…