Read username/password from .env file, accepts self-signed certs

[blahbap]

Updates:

• read username and password from .env file using the "dotenv" module
• set parameter "secure" to false to allow self-signed certificates

I use your middleware to connect to a SAP backend server over HTTPS - these small changes makes it easier and more secure I believe. I thought I might as well create a pull request for your repo instead of creating yet another proxy middleware :)

regards Frank

[lemaiwo]

Thank you for your contribution! I will update this version in npm

[rayatus]

what about trying to consume different authenticated services within same app? .env file only allows to specify just 1 user/pass.

[blahbap]

@rayatus you are right, this was lost - I have to confess I only need the connection to the SAP server and did not consider this. Can this even be solved with the .env file - can you specify multiple users/passwords in the .env file in a good way?

[rayatus]

I don't really know how to store several passwords in an .ENV file.

The thing is that..... as I see it this reverse proxy is a way of testing locally in the same way we would do while in production so I guess that thereverse proxy would be not needed in production environements, or even QA, (because SAP Cloud has destination and conectivity services) so is it really needed to have user/pass in the .ENV files?

Maybe there's just the need to separate the reverse proxy configuration from the user/pass in order not to be processed by Git. This could be accomplished just by splitting data into different files and ignoring the user/pass one in the .gitignore file.

What do you think? Or am I totally wrong?

[lemaiwo]

Hi @rayatus , thank you for the valuable feedback. I have updated the code so it is backwards compatible. When it finds a username and password in the ui5 config, it will use this one. If not, it will look in .env.

[blahbap]

@lemaiwo I tested the latest version, works well, great! @rayatus I also use the middleware when developing, but I need username/password to authenticate against the SAP development server over HTTPS, and I do not want to include these credentials in my Git repo. Having the credentials in a .env file allows me to add the file to .gitignore

[rayatus]

yes @blahbap, in fact my last suggestion was to make use of a customized like ENV file, so in that new file you could store user/passwords like in the previous version but because it's a separated file it could be not included in the Git repo.

something like this: odata.json --> just the target, root and the rest of the needed config

{
  "root1" {
         "target" : "http://host1:port1",
        "changOrigin" : true
  },
 "root2" {
         "target" : "http://host2:port2"
  }
}

odata_auth.json --> just the user/pass

{
  "root1" {
         "user" : "<user>",
         "pass" : "<pass>"
  },
  "root2" {
         "user" : "<user>",
         "pass" : "<pass>"
  }
}

it's only an idea. What do you think?

[lemaiwo]

@rayatus good idea, the extension worked like this in the beginning but I changed my mind. :)

I have to change my mind again as you have a fair point. It's not the most secure way to put the username and password in git.

Please go ahead, feel free to implement this. I'll be happy to merge your pull request ;) I would just keep it backward compatible and still use the username and password from the config as fallback scenario.

[rayatus]

done >PullRequest