When I'm connecting to database in node, I have to add db name, username, password etc. If I'm right every user can access js file, when he knows address. So... how it works? Is it safe?
3
-
1Why your server js files are accessible for user? You are doing something wrong. You should separete node.js files from frontend js.Bonanza– Bonanza2017-03-16 14:14:01 +00:00Commented Mar 16, 2017 at 14:14
-
You can authenticate to plenty of databases using SSH keys, or store your credentials in an environment variable.Ben Fortune– Ben Fortune2017-03-16 14:18:35 +00:00Commented Mar 16, 2017 at 14:18
-
I just started node learning. So I can separate that, thanks, that's what i've been talking aboutNilmeX– NilmeX2017-03-16 14:22:26 +00:00Commented Mar 16, 2017 at 14:22
Add a comment
|
2 Answers
Node.js server side source files should never be accessible to end-users.
In frameworks like Express the convention is that requests for static assets are handled by the static middleware which serves files only from a specific folder in your solution. Explicit requests for other source files that exists in your code base are thus ignored (404 is passed down the pipeline).
Consult
https://expressjs.com/en/starter/static-files.html
for more details.
Although there are other possible options to further limit the visibility of sensitive data, note that anyone on admin rights who gets the access to your server, would of course be able to retrieve the data (and this is perfectly acceptable).
Comments
I am assuming from the question that the DB and Node are on the same server. I am also assuming you have created either a JSON or env file or a function which picks up your DB parameters.
The one server = everything (code+DB) is not the best setup in the world. However, if you are limited to it, then it depends on the DB you are using. Mongo Community Edition will allow you to set up limited security protocols, such as creating users within the DB itself. This contains a {username password rights} combination which grants scaled rights based upon the type of user you set up. This is not foolproof but it is something of protection even if someone gets a hold of your DB parameters. If you are using a more extended version of MongoDB then this question would be superfluous. As to other DB's you need to consult the documentation.
However, all that being said, you should really have a DB set up behind a public server and only allow SSH into it, with an open port to receive information from your program. As the one server = everthing format is not safe in the end run, though it is fine for development.
If you are using MongoDB, you may want to take a look at Mongoose coupled with Mongoose Encryption. I personally do not use them but it may solve your problem in the short run.
If your DB is MySQL etc. then I suggest you look at the documentation.
2 Comments
NilmeX
Thank you, I' noty using anything yet. I just started nodejs learning, An I was curious how it works.
twg
@NilmeX you are welcome. I have no idea what your setup is, but try MongoDB + Node.js for learning purposes. You can set that up on your own machine and see how it goes. However, always remember, production environment is a whole different animal than the development environment, especially when it comes to security.