npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

config-shield

v0.2.3

Published

Store and retrieve data sensative in nature

Downloads

65

Readme

Config Shield

Build Status NPM version Dependency Status Bitdeli Badge

NPM

About

The mission behind this project is to provide a "safe" process from which to store properties sensitive in nature, in a manner that is both developer friendly as well as optimized for production use.

Making configuration changes

Install config-shield in your project:

  npm install config-shield --save

Startup the command-line interface from root of application:

  npm run config-shield
  : enter path of config (enter to use secure-config.json)>
  : enter path of private key> my.app.key
  set simple_property true
  set my-json-prop { "nested": { "values": [ 1, 2, 3 ] } }
  set null-prop null
  set evaluable-prop-as-string "null"
  set string-prop this will be stored as string if type cannot be determined
  set array-pop [ 1, 2, 3 ]
  set boolean-prop true
  set number-prop 5
  remove number-prop
  get my-json-prop
  : { "nested": { "values": [ 1, 2, 3 ] } }
  save
  : changes saved
  exit

Optionally you may also install config-shield globally:

  npm install config-shield -g
  config-shield

Deploy your config

This step should be built into your CICD process, to clone the applicable environment config and copy secure-config.json over. Ideally these assets will be in a limited-access store to avoid unnecessary risk.

Do not under any circumstance store your production private keys within your project.

Loading config from your App

  var secureConfig = require('config-shield');
  // one-time load
  secureConfig.load({
    configPath: './secure-config.json', // not required if default
    privateKeyPath: '/etc/pki/tls/certs/my.app.key'
  });

  var myObj = secureConfig.getProp('my-json-prop');

Access your secure config from anywhere in your app:

  var secureConfig = require('config-shield');
  var myObj = secureConfig.getProp('my-json-prop');

Multiple configs? No problem:

  var secureConfig = require('config-shield');
  secureConfig.load({
    instance: 'my-other-config',
    configPath: './my-other-secure-config.json',
    privateKeyPath: '/etc/pki/tls/certs/my.app.key'
  });

  var myOtherSecureConfig = secureConfig.instance('my-other-config');
  var myObj = myOtherSecureConfig.getProp('my-prop');

Developer Environment

Optionally you may include your development private key within your project to keep things simple, but please do not do this for production environments as you'll be negating the value of this module. Only a limited few should have access to production private keys.

API

  var secureConfig = require('config-shield');
  • load (options[, cb]) - Load config.
    • options.instance (default: 'default') - Name of the config instance.
    • options.configPath (required) - Config to load, relative to the current working directory.
    • options.privateKeyPath (required) - Private key to load. Or could be any secret.
    • options.noCache (default: false) - Will disable caching of decrypted values if true.
    • options.alg (default: 'aes-256-ctr') - Algorithm to use for encryption.
    • cb (function(err, secureConfig)) - If callback is provided, will load asynchronously, otherwise will return synchronously.
  • save ([configPath][, cb]) - Save config.
    • configPath (required) - Config to save, relative to the current working directory.
    • cb (function(err)) - If callback is provided, will save asynchronously, otherwise will return synchronously.
  • convert ([options][, cb]) - Convert existing config to new private key.
    • options.privateKeyPath (required) - Private key file to load. Or could be any secret file.
    • options.backup (default: false) - Write old config values as backup to allow for a rotationary period where old key will continue to work.
    • options.alg (default: 'aes-256-ctr') - Algorithm to use for encryption.
    • cb (function(err)) - If callback is provided, will save asynchronously, otherwise will return synchronously.
  • dropBackup () - Removes all backup keys.
  • getProp (propName) - Return decrypted config value.
  • setProp (propName, propValue) - Store config value.
  • removeProp (propName) - Remove config value.
  • removeAll () - Remove all config values.
  • getKeys () - Return an array of available property keys.
  • getInstance (instanceName) - Return a config instance.
  • setInstance (instance) - Set a config instance.

Rotating keys

In the case you have keys that must be rotated, you can use the convert with backup option. The process would require you to:

  1. Load config with old private key.
  2. Convert with new private key, setting backup to true.
  3. Deploy your config change.
  4. Rotate your private keys.
  5. Load config with new private key.
  6. Run dropBackup.
  7. Deploy your final config change.

In CLI, would look something like:

  config-shield
  enter path of config> secure-config.json
  enter path of private key> old.key
  > convert
  enter path of private key> new.key
  backup old values to enable key rotations? (enter to disable, or `true`)> true
  > save
  > exit

Deploy your change, then update your config one last time:

  config-shield
  enter path of config> secure-config.json
  enter path of private key> new.key
  > dropBackup
  > save
  > exit

Deploy the final config. If you skip the step of dropping the backup, your config will become vulnerable to attacks using the old private key, negating most of the value of rotating keys.

Future

Possible future enhancements:

  • tts - Time to stale before auto-reloading config.

License

MIT