Prevent mongo url and password showing in heroku logs

[timhaines]

We noticed our MongoHQ password was showing in the logs when meteor was starting up.

I added a note to the readme about specifying MONGO_URL in the Heroku config.

[tmeasday]

I see. Does this mean everyone using the buildpack needs to update?

[timhaines]

Yes. And change their mongo passwords if they're prudent. We noticed it when we emailed our logs between each other.

[tmeasday]

Hi Tim. Sorry I've been a bit slow at getting to this.

1. Have you looked into any other way to automatically set the MONGO_URL env vars?
2. Is this actually a problem? If someone can access your logs, can't they also do a heroku config:get MONGO_URL ?

[timhaines]

Hey Tom,

No worries at all. I haven't looked into other ways.

It's a problem if you're emailing logs or otherwise transferring them off the servers, and you don't think to clear the passwords out.

[tmeasday]

Ok, that's reasonable. I'll try to find out if there's a better way to do it, if I can't figure something out then I'll just merge this. Let me know if you figure anything out yourself.

[tmeasday]

Note: I tried to follow the notes written here: https://devcenter.heroku.com/articles/buildpack-api#default-environment but it doesn't seem to be working. (see the hide-mongo-url branch).

Working with buildpacks is very frustrating as there's little to no output in many cases and it takes a long time to try anything :)

It'd be better if it worked automatically, but not a big deal. If you could, can you have a go at this? Otherwise I'll just commit this change early next week.

[tmeasday]

Awesome, that was it (the script needs to manually write .profile.d). Sorted.