How to Store Credentials as Environment Variables and Read in JavaScript

Photo by Andrew Neel on Unsplash

How to Store Credentials as Environment Variables and Read in JavaScript

Article was orginally posted on realjavascriptproject.com/how-to-store-cred..

Secrets are called secrets for a reason. We do not want others to know about them, be it in real life or in JavaScript. In this tutorial, you will learn how to store your credentials as environment variables and learn how to read them in JavaScript. We will discuss 3 different ways to store credentials and read them using JavaScript. 

  • Storing them as Global Environment Variables
  • Providing them as a Command Line Argument
  • Storing them in a .env file
  • Which is the best way to Read Credentials Locally in Javascript?

If you are interested in a similar tutorial for python, you can check out this article

Storing Credentials as Global Environment Variables

If the credentials are stored as Global Environment Variables, they can be accessed by any script running on your PC.

To Create a Global Environment Variable, run this in your terminal

export varName=varValue

Ensure there are no spaces between the ‘=’. If you get an error 

“zsh: Bad Assignment”

or

bash: export: `=': not a valid identifier

it is probably caused because of space between the ‘=’.

Let’s create a couple of global environment variables

export globalUser=secretUser
export globalKey=secretKey

In Windows, you might have to use “set” instead of “export”.

Below is how you would access the variables in Node

const USER= process.env.globalUser
const KEY = process.env.globalKey

console.log(USER) // secretUser console.log(KEY) // secretKey

process.env returns an object with all your Global Environment Variable.

You do not need to install any npm library since process is a built-in library in Node. The biggest con of Global Environment Variables is that you risk overwritting previously existing variables. As time goes by, it will be hard to keep track of previously created variables and avoid overwriting.

If you want to remove the environment variable you created earlier

unset globalUser
unset globalKey

Providing Credentials as Command Line Arguments

If you want to pass your credentials in the command line

globalUser=secretUser globalKey=secretKey node app.js

You could access them in Node the same you way you accessed the global environment variables

const USER= process.env.globalUser
const KEY = process.env.globalKey

console.log(USER) // secretUser console.log(KEY) // secretKey

A caveat to doing something like this is that you will have to remember to pass the credentials as command-line arguments each time you run your script. 

Storing Credentials in a .env file

Code Snippet showing how to read environment variables from a .env file
Code Snippet showing how to read environment variables from a .env file

You can create a file named .env and store your credentials over there. Although you can store your credentials in any file and read them from your file, conventionally credentials are stored in .env files.

globalUser=secretUser
globalKey=secretKey

.env files are usually used to store secrets and credentials. Make sure to add it to your .gitignore file so that you don’t commit it by mistake.

To read variables from an .env file you will have to install dotenv which is a npm package.

npm install dotenv --save

dotenv can be installed as a dev dependency since it will only be used during development to load variables from .env files.

Below is the code to read the variables from the env file

require('dotenv').config()

const USER= process.env.globalUser const KEY = process.env.globalKey

console.log(USER) // globalUser console.log(KEY) // globalKey

As you can see most of the code is same as before. The only addition being the require statement at top.

Which is the best way to Read Credentials Locally in Javascript?

In my opinion, the best way is to store them inside a .env file.

  • They are local to your project
  • You do not need to worry about ‘unsetting’ them. 
  • If you add them to your .gitignore file, it is safe from the outside world

The only con is that if there is a Global Environment Variable with the same name as a variable in the .env file, process.env will return the Global Environment Variable.