Proposing Like a Nerd

Keeping your Parse & Node secrets safe with Heroku and dotenv

The first of my series of articles detailing my very elaborate wedding proposal will detail the concept of ENV variables and how to use them to keep your secrets safe whether running a project hosted or local.

While this some might argue that this is overkill for small personal projects, keeping important information (keys, secrets, URIs) out of your code repo and in environment variables is a good practice to get in that will keep your apps a little safer and also offer you the extra benefit of expanding out to multiple testing environments should your project take off.

Parse Server

When Parse closed down, it threw the community of developers that used it into a mini panic. The open source Parse Server that filled the void has grown into a fantastic tool for those continuing to use the Parse client SDK or just want to throw up a relatively simple back end with a DB.

Because you need to host all the parts yourself, you’ll also need to manage all the connection creds needed such as the various URIs and secrets to connect to the database, client, and any other services you may be using.

Parse server config
More keys can be added for more specificity but the default Parse Server config gives you all you need.

Parse server makes it pretty easy to plug in the important but it can be a bit misleading for a noobie especially the comment on line 18 that says // Add your master key here.

While plopping your master key in the quotes will work, committing that into your code repo can put you at risk if someone gets access to your code checked into version control (which you definitely should be using).

Thankfully, Parse Server already has some ENV variables defined that will be used by default if present which you can see marked as process.env.{VAR_NAME}.

ENV Variables on Heroku

Heroku makes it extremely easy to host your own Parse Server instance.

mLab mongo dash
After setting up your linked mLab MongoDB instance, you will see (1) the uri formatting you will need in order to connect and (2) the username you should use.

Adding a MongoDB instance is easy and free through the Add-on system. It even connects it to your Heroku instance for you!

Heroku config console
Config Variables menu allows you to define as many environment variables as you want

Using the mLab add-on gives us the MONGODB_URI for free so you just need to set up the next 3 in the same way. Once you have this in your Heroku project, your Parse Server is ready to rock and roll! That was easy!

ENV variables locally with dotenv

Our production app is set up and live but we need to set these variables so we can work on our app locally. There are a few ways to handle this but the easiest way I’ve found is using the dotenv npm module.

Step 1 Install dotenv

In your project install the module with

> npm install dotenv --save

Step 2 Create your local .env file

In the root directory of your project, create a file called .env and set it up with all of the same information you put in the Heroku config menu like so:

If in the future, you decide to set up a staging instance or a separate DB with test data, you can use those credentials here while your production server on Heroku maintains the originals.

Step 3 add .env to your .gitignore file

At this point, git will want to add our new .env file to our repo which will make all of this work pointless!

You could add this to the .gitignore file for this project but if you’re going to be working on any other node project in the future, you probably want to add this to your global .gitignore file so you never have to worry about this again.

If you don’t have already have a global .gitignore file, you can create one in your home with the following command:

Once you’ve created this new file, you just need to add a new line for .env and you’re set!

Wrap Up

Now that we’ve set up the necessary config variables in Heroku as well as locally, we’re set to run our Parse Server project in either environment. In addition, you’ve set up a global .gitignore file to double protect yourself from accidentally committing any .env files and their valuable credentials in the future.

Keeping these and any other additional secrets/keys out of your git repo is one of the first steps you can take to making your app secure.