search

Rabbit-Company / Passky-Server

Server for Passky (password manager)
https://passky.org
GNU General Public License v3.0
177 stars 22 forks source link

fix: remove dotenv and provide example #4

Closed martin-sweeny closed 2 years ago

martin-sweeny commented 2 years ago

jesus christ i can't believe i'm doing this

zigazajc007 commented 2 years ago

Hello,

Default .env file does not include anything that would affect security. It's completely safe to use the default .env file without any changes.

This also makes self-hosting much easier for people without any Linux experience.

Thanks again for your support.

martin-sweeny commented 2 years ago

Well that's patently false and you're willfully risking your own infra and your customers' data. Can't say I didn't warn you

ds8k commented 2 years ago

This is wildly insecure and against standard practice.

https://stackoverflow.com/questions/43664565/why-do-people-put-the-env-into-gitignore

https://platform.sh/blog/2021/we-need-to-talk-about-the-env/

Which brings up the most important thing to remember about .env files: they do not belong in Git.

zigazajc007 commented 2 years ago

Some developers put the .env file in the public folder with sensitive data and sometimes even by mistake as they use this .env file for development and then push it to Github.

In this project, I don't use any sensitive data that could infect the security.

I can rename the ".env" file to the ".env.example" and remove default passwords from it. As this project is meant for non-technical users too and if I provide the command "cp .env.example .env" users would deploy the database without any root and user password, which would potentially make it even worse, than providing a default password.

Edited: I should probably make an "installer" that would ask the user for information and automatically fill the .env file based on information received.

ds8k commented 2 years ago

The README would include how to set up the env file. I think your approach with maybe an init script would be simple enough, and could perform the rename operation

zigazajc007 commented 2 years ago

I have renamed .env file to .env.example and removed all passwords from it, so advanced users could still just edit the file and for users that just copy-paste everything from Github it would open them an installer, that would ask them questions / validate them and write to newly created .env file.

I'm already working on the installer.

martin-sweeny commented 2 years ago

Why didn't you just accept my PR lmao

martin-sweeny commented 2 years ago

image

zigazajc007 commented 2 years ago

Done 😉