I have built an application and added my SMTP credentials like this (in the server code block):
我已经构建了一个应用程序并添加了我的SMTP凭据(在服务器代码块中):
Meteor.startup(function () {
smtp = {
username: 'username@emails.com',
password: 'lkajflkadjakdlfj',
server: 'smtp.emails.com',
port: 587
}
process.env.MAIL_URL = 'smtp://' + encodeURIComponent(smtp.username) + ':' + encodeURIComponent(smtp.password) + '@' + encodeURIComponent(smtp.server) + ':' + smtp.port;
});
This works, and is sending just fine. But my credentials are available to anyone just be reading the source code of my deployed application.
这很有效,而且发送得很好。但是,只要阅读我部署的应用程序的源代码,任何人都可以使用我的凭据。
Is there somewhere else I should be storing these credentials? Or another method entirely of setting this up?
我还应该在其他地方存储这些凭据吗?还是另一种完全设置它的方法?
2 个解决方案
#1
Try to avoid hardcoding environment variables in your code in general, there are several other options available to you.
一般来说,尽量避免在代码中使用硬编码环境变量,还有其他一些选项可供您使用。
You could use Meteor.settings
to store your private credentials :
您可以使用Meteor.settings来存储您的私人凭据:
private/settings.json
{
"MAIL_URL": "smtp://smtp://postmaster%40mg.domain.com:password@smtp.mailgun.org:587"
}
server/config.js
process.env.MAIL_URL = Meteor.settings.MAIL_URL;
Don't forget to feed your app with meteor settings :
不要忘记使用流星设置为您的应用提供信息:
Local development workflow :
本地开发工作流程
meteor --settings private/settings.json
Deploying to Meteor servers :
部署到Meteor服务器:
meteor deploy myapp.meteor.com --settings private/settings.json
Another option is to use mup
(Meteor Up) which provides a config file named mup.json where you can store your credentials as env variable, which is very handy.
另一个选择是使用mup(Meteor Up),它提供一个名为mup.json的配置文件,您可以将您的凭据存储为env变量,这非常方便。
mup.json
"env": {
"MAIL_URL": "..."
}
Last but not least, if you're using version control, don't forget to .gitignore
your settings !
最后但并非最不重要的,如果您正在使用版本控制,请不要忘记.gitignore您的设置!
.gitignore
private/settings.json
mup.json
#2
From the Meteor documentation (http://docs.meteor.com/#/full/structuringyourapp):
从Meteor文档(http://docs.meteor.com/#/full/structuringyourapp):
Any directory named server is not loaded on the client. Similar to wrapping your code in if (Meteor.isServer) { ... }, except the client never even receives the code. Any sensitive code that you don't want served to the client, such as code containing passwords or authentication mechanisms, should be kept in the server directory.
客户端上未加载任何名为server的目录。类似于将代码包装在if(Meteor.isServer){...}中,除了客户端甚至从未收到代码。您不希望向客户端提供的任何敏感代码(例如包含密码或身份验证机制的代码)都应保存在服务器目录中。
#1
Try to avoid hardcoding environment variables in your code in general, there are several other options available to you.
一般来说,尽量避免在代码中使用硬编码环境变量,还有其他一些选项可供您使用。
You could use Meteor.settings
to store your private credentials :
您可以使用Meteor.settings来存储您的私人凭据:
private/settings.json
{
"MAIL_URL": "smtp://smtp://postmaster%40mg.domain.com:password@smtp.mailgun.org:587"
}
server/config.js
process.env.MAIL_URL = Meteor.settings.MAIL_URL;
Don't forget to feed your app with meteor settings :
不要忘记使用流星设置为您的应用提供信息:
Local development workflow :
本地开发工作流程
meteor --settings private/settings.json
Deploying to Meteor servers :
部署到Meteor服务器:
meteor deploy myapp.meteor.com --settings private/settings.json
Another option is to use mup
(Meteor Up) which provides a config file named mup.json where you can store your credentials as env variable, which is very handy.
另一个选择是使用mup(Meteor Up),它提供一个名为mup.json的配置文件,您可以将您的凭据存储为env变量,这非常方便。
mup.json
"env": {
"MAIL_URL": "..."
}
Last but not least, if you're using version control, don't forget to .gitignore
your settings !
最后但并非最不重要的,如果您正在使用版本控制,请不要忘记.gitignore您的设置!
.gitignore
private/settings.json
mup.json
#2
From the Meteor documentation (http://docs.meteor.com/#/full/structuringyourapp):
从Meteor文档(http://docs.meteor.com/#/full/structuringyourapp):
Any directory named server is not loaded on the client. Similar to wrapping your code in if (Meteor.isServer) { ... }, except the client never even receives the code. Any sensitive code that you don't want served to the client, such as code containing passwords or authentication mechanisms, should be kept in the server directory.
客户端上未加载任何名为server的目录。类似于将代码包装在if(Meteor.isServer){...}中,除了客户端甚至从未收到代码。您不希望向客户端提供的任何敏感代码(例如包含密码或身份验证机制的代码)都应保存在服务器目录中。