2

I'm connecting to a few APIs and using basic authentication like so:

this.jenkins = jenkinsapi.init('https://USERNAME:PASSWORD@this-is-a-jenkins.server.local:8080', {strictSSL: false});

I'm concerned about just having the user's password just sitting there in a variable or plain text. It is inside a 'private' method but if anybody is able to view the source on the server they would be able to view the username and password.

How can I make this more secure while still using http basic auth?

Ramkrishna Sharma
  • 6,961
  • 3
  • 42
  • 51
JmJ
  • 1,989
  • 3
  • 29
  • 51
  • 1
    use configuration file to store username/password, ideally a file that is loaded in the server not in the webapp or on build so even developpers will not know the username/password of production. – Walfrat Apr 26 '16 at 13:25

1 Answers1

1

Take a look at Environment Variables. These are available in Node.js.

process.env.ENV_VARIABLE

Where ENV_VARIABLE is something defined in your system running the application. For isntance, in my Node.js application running on Heroku, and hosted publically on Github, I'm using process.env.MONGOLAB_URI instead of the SQL-type string containing the database name, username, and password. I have this automatically configured because of Heroku, but I'm able to also set the variable locally in my OS (Windows in this case) so that the code will run locally, as well.

Also check out this answer about using Environment variables with Jenkins.

Community
  • 1
  • 1