Comparing version 0.1.2 to 0.1.3
{ | ||
"name": "cryptoenv", | ||
"version": "0.1.2", | ||
"version": "0.1.3", | ||
"description": "Manage encrypted env variables", | ||
@@ -5,0 +5,0 @@ "homepage": "https://github.com/secrez/cryptoenv#readme", |
@@ -7,3 +7,3 @@ # CryptoEnv | ||
Many tools uses env variable to manage critical processes. Take for example [Hardhat](https://github.com/NomicFoundation/hardhat). To deploy a smart contract to Ethereum, most likely you have to put your private key in an `.env` file. That file is git-ignored, of course. Still, mistakes are behind the corner and the approach is very risky. We created [Hardhood](github.com/secrez/hardhood), a wrapper around Hardhat, to solve this specific issue, but that solution has some problem, and it is maybe too specific. CryptoEnv uses part of the code written for Hardhood, to manage a more generic process. | ||
Many tools use env variable to manage critical processes. Take for example [Hardhat](https://github.com/NomicFoundation/hardhat). To deploy a smart contract to Ethereum, most likely you have to put your private key in an `.env` file. That file is git-ignored, of course. Still, mistakes are behind the corner and the approach is very risky. For this reason, I created [Hardhood](github.com/secrez/hardhood), a wrapper around Hardhat, to solve this specific issue, but that solution has some problem, and it is maybe too specific. CryptoEnv uses part of the code written for Hardhood, to manage a more generic process. | ||
@@ -17,3 +17,3 @@ ## Usage | ||
``` | ||
npm i -g envcrypto | ||
npm i -g cryptoenv | ||
``` | ||
@@ -34,3 +34,3 @@ | ||
In the case above, in you `.env` file you will have something like | ||
In the case above, in your `.env` file you will have something like | ||
@@ -49,3 +49,4 @@ ``` | ||
Let's do the case of Hardhat. You have a conf file called `hardhat.config.js`. At the beginning of that file you can read the env variable with, for example Dotenv, and after requiring CryptoEnv, like here: | ||
Let's do the case of Hardhat. | ||
You have a conf file called `hardhat.config.js`. At the beginning of that file you can read the env variables with, for example Dotenv, and after requiring CryptoEnv, like here: | ||
@@ -73,3 +74,3 @@ ```javascript | ||
To avoid that Hardhat gives you an error when you skip the decryption, you can set up a variable OWNER_KEY in the `.env` file, with a testing key. When you will use CryptoEnv, the variable will be overwritten. | ||
To avoid that Hardhat gives you an error when you skip the decryption, you can set up a variable OWNER_KEY in the `.env` file, with a testing key. When you use CryptoEnv, the variable will be overwritten. | ||
@@ -86,4 +87,11 @@ Notice that after saving the first encrypted key, for all the others you must use the same password. | ||
and take only the variables that start with "hardhat". In a more general way, you can also pass a function that returns a boolean. For example, if you want to skip the decryption when testing the contracts with Hardhat, you could require it as: | ||
and take only the variables that start with "hardhat". | ||
You can also pass a function that returns a boolean, like: | ||
```javascript | ||
const words = ["home", "office", "street"]; | ||
require("cryptoenv").parse(e => words.includes(e)); | ||
``` | ||
For example, if you want to skip the decryption when testing the contracts with Hardhat, you could require it as: | ||
```javascript | ||
@@ -94,2 +102,3 @@ require("cryptoenv").parse(() => { | ||
``` | ||
(notice that Hardhat does not set the NODE_ENV variable during tests) | ||
@@ -96,0 +105,0 @@ ## About security |
@@ -131,2 +131,5 @@ const path = require("path"); | ||
) { | ||
if (process.env.__decryptionAlreadyDone__) { | ||
return; | ||
} | ||
this.keys = {}; | ||
@@ -142,4 +145,6 @@ for (let key in process.env) { | ||
!filter || | ||
((typeof filter === "function" && filter(key)) || | ||
(Object.prototype.toString.call(filter) && filter.test && filter.test(key))) | ||
(typeof filter === "function" && filter(key)) || | ||
(Object.prototype.toString.call(filter) && | ||
filter.test && | ||
filter.test(key)) | ||
) { | ||
@@ -152,6 +157,8 @@ this.keys[key] = value; | ||
console.info(chalk.grey(`CryptoEnv > no encrypted keys found`)); | ||
process.env.__decryptionAlreadyDone__ = "TRUE"; | ||
return; | ||
} | ||
if (!password) { | ||
const prompt = require("prompt-sync")({}); | ||
console.log( | ||
console.info( | ||
chalk.green( | ||
@@ -163,3 +170,5 @@ "CryptoEnv > Type your password to decrypt the env, or press enter to skip it" | ||
if (!password) { | ||
return console.log(chalk.grey("CryptoEnv > decryption skipped")); | ||
console.info(chalk.grey("CryptoEnv > decryption skipped")); | ||
process.env.__decryptionAlreadyDone__ = "TRUE"; | ||
return; | ||
} | ||
@@ -180,3 +189,3 @@ } | ||
} catch (e) { | ||
console.log(chalk.red("Wrong password")); | ||
console.info(chalk.red("Wrong password")); | ||
process.exit(1); | ||
@@ -192,2 +201,3 @@ } | ||
} | ||
process.env.__decryptionAlreadyDone__ = "TRUE"; | ||
} | ||
@@ -194,0 +204,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
26415
383
135
23