npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

schluessel

v1.0.4

Published

Rails like credentials store for database passwords, API keys, etc. encrypted in your repository.

Downloads

695

Readme

schluessel

Node.js CI npm GitHub

Node.js package for storing application credentials (API keys, database passwords, etc.) encrypted in your repository.

Introduction

In complex applications you often have several credentials like database passwords, API keys, etc. you need to store somehow without accidentally checking them into your git repo or publishing them with your npm package.
The popular framework Ruby on Rails has a very neat solution for this dilemma: The credentials get enciphered and written to a file that can be checked into the repository. In order for the application to access them, you need to hand over the master key to decipher them.

Where does the name come from?

"Schlüssel" is the German word for key(s). The singular and plural forms are identical here.
:de: :key:

How it works

schluessel will store your credentials in a JSON formatted file and create a respective keyfile for every environment (NODE_ENV). It is safe to check in your credentials file (credentials.<NODE_ENV>.json.enc) into your version control, but make sure to never publish the key file!
The default environment - if not specified otherwise - is development.

Install schluessel

Just install schluessel by typing from your project root directory:

npm install --save schluessel

Accessing the credentials

Credentials are stored in JSON format. Let's assume you have the following credentials:

{
  "_description": "Put your credentials here...",
  "database": {
    "username": "admin",
    "password": "topsecret"
  }
}

CommonJS

From within your application do:

const myCredentials = require('schluessel');

// myCredentials will be the object you defined above in JSON format.
const dbConnection = connectToDatabase(
  myCredentials.database.username,
  myCredentials.database.password
);

ECMA Modules

From within your application do:

import myCredentials from 'schluessel';

// myCredentials will be the object you defined above in JSON format.
const dbConnection = connectToDatabase(
  myCredentials.database.username,
  myCredentials.database.password
);

TypeScript

In a TypeScript project you need to install @types/schluessel first:

npm install --save-dev @types/schluessel

Then you can access your credentials like this:

import myCredentials = require('schluessel');

The resulting object myCredentials is of type any since it's structure is completely up to you and cannot be predicted.

That's it! :sparkles:

Creating a vault and key file

schluessel has a CLI that can be invoked with npx:

npx schluessel new

This will create a new vault and keyfile in your project root directory for the development environment.

ATTENTION: It is important to cd /path/to/your/project/root before you execute the code above! The CLI script cannot determine your project root on its own, so it's just using the current working directory.

This command will also add the line credentials.*.key to your .gitignore (and .npmignore if it exists) to make sure that you really will never check in the keyfile.

Editing the credentials

Just type:

npx schluessel edit

This will decipher the vault file and let you edit it with your favorite text editor. It will be enciphered again as soon as you close the editor.

Security considerations

The encryption algorithm used is AES with a 256 bit key in Galois/Counter Mode.

Environments

You often have totally different credentials during development, testing and the final deployment. You can (and should) create a credentials and key file pair for every single node environment you're about to use. The default is development.

If you want to create a vault and key file for another environment, just do:

NODE_ENV=<your environment> npx schluessel new

And respectively to edit the credentials:

NODE_ENV=<your environment> npx schluessel edit

Key handling

I cannot stress enough how crucial it is that you never upload the key file anywhere. For deploying I would recommend creating a separate NODE_ENV (e.g. production) and place the key file for this environment (and only for this one) on your server manually.
If you cannot or don't want to place a file on your server, you can also pass it via an environment variable:

NODE_ENV=<your environment> NODE_MASTER_KEY="mqkMGRLfY+GwjnlXOlIzJw+tlip/SBny/QOlDHQltEM=" node my_awesome_app.js

:four_leaf_clover:

This should be obvious, but if you loose your key file, the respective credentials will be lost forever! :fire:

Note: All binary data is encoded in base64.

Changing IVs

Every time you edit the credentials, a new Initialisation Vector will be used resulting in completely differnt ciphertexts even for very small changes. This will prevent attackers from searching for patterns in your credentials.<NODE_ENV>.json.enc across several save states.