Sensitive environment variables

[mikesigs]

Hi guys,

I am wondering if there is any plan to support something like dotenv

It would be nice to be able to store sensitive environment settings (e.g. api keys) this way. It's a really helpful npm package and would make a great addition to the CLI.

Thanks!

[antonybudianto7]

I agreed with using dotenv, but not for storing sensitive information

https://softwareengineering.stackexchange.com/questions/194045/securely-storing-secret-data-in-a-client-side-web-application

using dotenv really helps with many environments and is scalable, and more importantly, we can migrate from cli to other starters (and vice-verca) without much problem since dotenv is much standard and widely used.

even create-react-app bundled dotenv by default https://github.com/facebookincubator/create-react-app/blob/master/packages/react-scripts/template/README.md#adding-development-environment-variables-in-env

[mikesigs]

Y'know I didn't realize how dumb of a question I had asked until just now. Of course you're not going to be able to use dotenv in a client side app. You're not going to access environment variables on the clients machine. And yeah... Obviously not going to store sensitive data there either.

[antonybudianto7]

Well, some key like firebase apiKey, is non-secret, and can be bundled to client-side code, since they have domain whitelist mechanism. Using dotenv in a client side app is possible, like create-react-app, but you still store secret information on server side.

[mikesigs]

I was just thinking about not committing certain settings to the repository and dotenv enables that. But I didn't consider that anything you put in dotenv will need to be in your compiled code anyways.

So I guess the real question is, what does dotenv provide that the current environment configuration in the CLI doesn't?

[antonybudianto7]

well, if the env is used for things like debug flag, production flag, or API url, then current configuration is enough, but since it's committed to source control, then it'll affect other developers that uses the same environment. (much like if you commit your own IDE config)
and,.... it's not the problem with dotenv, since each developer/environment have their own .env 👍

[frankfullstack]

I tried with the dotenv package, and several webpack plugins unsuccessfully.

Anyone tried these packages: webpack-dotenv-plugin and dotenv-webpack?

I want to inject some environment api keys to my Angular services but I'm not be able to do it.

[antonybudianto]

Example starter using dotenv
https://github.com/antonybudianto/angular-webpack-starter

[filipesilva]

Discussion on how to do this sort of thing can be found in #3855.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}