@dotenvx/dotenvx 0.16.1 → 0.17.0

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.16.1",
+  "version": "0.17.0",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",
@@ -25,14 +25,14 @@
     "prerelease": "npm test",
     "release": "standard-version"
   },
-  "funding": "Have you seen dotenvx.com? run anywhere, cross-platform, and encrypted envs.",
+  "funding": "https://dotenvx.com",
   "dependencies": {
     "@inquirer/prompts": "^3.3.0",
     "chalk": "^4.1.2",
     "clipboardy": "^2.3.0",
     "commander": "^11.1.0",
     "conf": "^10.2.0",
-    "dotenv": "^16.4.5",
+    "dotenv": "16.4.5",
     "dotenv-expand": "^11.0.6",
     "execa": "^5.1.1",
     "glob": "^10.3.10",

package/src/cli/actions/encrypt.js

@@ -1,4 +1,5 @@
 const fs = require('fs')
+const path = require('path')
 
 const main = require('./../../lib/main')
 const logger = require('./../../shared/logger')
@@ -7,149 +8,76 @@ const createSpinner = require('./../../shared/createSpinner')
 
 const spinner = createSpinner('encrypting')
 
-// constants
-const ENCODING = 'utf8'
-
-async function encrypt () {
+async function encrypt (directory) {
   spinner.start()
   await helpers.sleep(500) // better dx
 
+  logger.debug(`directory: ${directory}`)
+
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
 
-  let optionEnvFile = options.envFile
-  if (!Array.isArray(optionEnvFile)) {
-    optionEnvFile = [optionEnvFile]
-  }
-
-  const addedKeys = new Set()
-  const addedVaults = new Set()
-  const addedEnvFilepaths = new Set()
-
-  // must be at least one .env* file
-  if (optionEnvFile.length < 1) {
-    spinner.fail('no .env* files found')
-    logger.help('? add one with [echo "HELLO=World" > .env] and then run [dotenvx encrypt]')
-    process.exit(1)
-  }
+  const optionEnvFile = options.envFile || helpers.findEnvFiles(directory)
 
   try {
-    logger.verbose(`generating .env.keys from ${optionEnvFile}`)
-
-    const dotenvKeys = (main.configDotenv({ path: '.env.keys' }).parsed || {})
-
-    for (const envFilepath of optionEnvFile) {
-      const filepath = helpers.resolvePath(envFilepath)
-      if (!fs.existsSync(filepath)) {
-        spinner.fail(`file does not exist at [${filepath}]`)
-        logger.help(`? add it with [echo "HELLO=World" > ${envFilepath}] and then run [dotenvx encrypt]`)
-        process.exit(1)
-      }
-
-      const environment = helpers.guessEnvironment(filepath)
-      const key = `DOTENV_KEY_${environment.toUpperCase()}`
+    const {
+      dotenvKeys,
+      dotenvKeysFile,
+      addedKeys,
+      existingKeys,
+      dotenvVaultFile,
+      addedVaults,
+      existingVaults,
+      addedDotenvFilenames
+    } = main.encrypt(directory, optionEnvFile)
 
-      let value = dotenvKeys[key]
+    logger.verbose(`generating .env.keys from ${optionEnvFile}`)
+    if (addedKeys.length > 0) {
+      logger.verbose(`generated ${addedKeys}`)
+    }
+    if (existingKeys.length > 0) {
+      logger.verbose(`existing ${existingKeys}`)
+    }
+    fs.writeFileSync(path.resolve(directory, '.env.keys'), dotenvKeysFile)
 
-      // first time seeing new DOTENV_KEY_${environment}
-      if (!value || value.length === 0) {
-        logger.verbose(`generating ${key}`)
-        value = helpers.generateDotenvKey(environment)
-        logger.debug(`generating ${key} as ${value}`)
+    logger.verbose(`generating .env.vault from ${optionEnvFile}`)
+    if (addedVaults.length > 0) {
+      logger.verbose(`encrypting ${addedVaults}`)
+    }
+    if (existingVaults.length > 0) {
+      logger.verbose(`existing ${existingVaults}`)
+    }
+    fs.writeFileSync(path.resolve(directory, '.env.vault'), dotenvVaultFile)
 
-        dotenvKeys[key] = value
+    if (addedDotenvFilenames.length > 0) {
+      spinner.succeed(`encrypted to .env.vault (${addedDotenvFilenames})`)
+      logger.help2('ℹ commit .env.vault to code: [git commit -am ".env.vault"]')
+    } else {
+      spinner.done(`no changes (${optionEnvFile})`)
+    }
 
-        addedKeys.add(key) // for info logging to user
-      } else {
-        logger.verbose(`existing ${key}`)
-        logger.debug(`existing ${key} as ${value}`)
-      }
+    if (addedKeys.length > 0) {
+      spinner.succeed(`${helpers.pluralize('key', addedKeys.length)} added to .env.keys (${addedKeys})`)
+      logger.help2('ℹ push .env.keys up to hub: [dotenvx hub push]')
     }
 
-    let keysData = `#/!!!!!!!!!!!!!!!!!!!.env.keys!!!!!!!!!!!!!!!!!!!!!!/
-#/   DOTENV_KEYs. DO NOT commit to source control   /
-#/   [how it works](https://dotenvx.com/env-keys)   /
-#/--------------------------------------------------/\n`
+    if (addedVaults.length > 0) {
+      const DOTENV_VAULT_X = addedVaults[addedVaults.length - 1]
+      const DOTENV_KEY_X = DOTENV_VAULT_X.replace('_VAULT_', '_KEY_')
+      const tryKey = dotenvKeys[DOTENV_KEY_X] || '<dotenv_key_environment>'
 
-    for (const key in dotenvKeys) {
-      const value = dotenvKeys[key]
-      keysData += `${key}="${value}"\n`
+      logger.help2(`ℹ run [DOTENV_KEY='${tryKey}' dotenvx run -- yourcommand] to test decryption locally`)
     }
-
-    fs.writeFileSync('.env.keys', keysData)
   } catch (error) {
     spinner.fail(error.message)
-    process.exit(1)
-  }
-
-  // used later in logging to user
-  const dotenvKeys = (main.configDotenv({ path: '.env.keys' }).parsed || {})
-
-  try {
-    logger.verbose(`generating .env.vault from ${optionEnvFile}`)
-
-    const dotenvVaults = (main.configDotenv({ path: '.env.vault' }).parsed || {})
-
-    for (const envFilepath of optionEnvFile) {
-      const filepath = helpers.resolvePath(envFilepath)
-      const environment = helpers.guessEnvironment(filepath)
-      const vault = `DOTENV_VAULT_${environment.toUpperCase()}`
-
-      let ciphertext = dotenvVaults[vault]
-      const dotenvKey = dotenvKeys[`DOTENV_KEY_${environment.toUpperCase()}`]
-
-      if (!ciphertext || ciphertext.length === 0 || helpers.changed(ciphertext, dotenvKey, filepath, ENCODING)) {
-        logger.verbose(`encrypting ${vault}`)
-        ciphertext = helpers.encryptFile(filepath, dotenvKey, ENCODING)
-        logger.verbose(`encrypting ${vault} as ${ciphertext}`)
-
-        dotenvVaults[vault] = ciphertext
-
-        addedVaults.add(vault) // for info logging to user
-        addedEnvFilepaths.add(envFilepath) // for info logging to user
-      } else {
-        logger.verbose(`existing ${vault}`)
-        logger.debug(`existing ${vault} as ${ciphertext}`)
-      }
+    if (error.help) {
+      logger.help(error.help)
     }
-
-    let vaultData = `#/-------------------.env.vault---------------------/
-#/         cloud-agnostic vaulting standard         /
-#/   [how it works](https://dotenvx.com/env-vault)  /
-#/--------------------------------------------------/\n\n`
-
-    for (const vault in dotenvVaults) {
-      const value = dotenvVaults[vault]
-      const environment = vault.replace('DOTENV_VAULT_', '').toLowerCase()
-      vaultData += `# ${environment}\n`
-      vaultData += `${vault}="${value}"\n\n`
+    if (error.code) {
+      logger.debug(`ERROR_CODE: ${error.code}`)
     }
-
-    fs.writeFileSync('.env.vault', vaultData)
-  } catch (e) {
-    spinner.fail(e.message)
     process.exit(1)
   }
-
-  if (addedEnvFilepaths.size > 0) {
-    spinner.succeed(`encrypted to .env.vault (${[...addedEnvFilepaths]})`)
-    logger.help2('ℹ commit .env.vault to code: [git commit -am ".env.vault"]')
-  } else {
-    spinner.done(`no changes (${optionEnvFile})`)
-  }
-
-  if (addedKeys.size > 0) {
-    spinner.succeed(`${helpers.pluralize('key', addedKeys.size)} added to .env.keys (${[...addedKeys]})`)
-    logger.help2('ℹ push .env.keys up to hub: [dotenvx hub push]')
-  }
-
-  if (addedVaults.size > 0) {
-    const DOTENV_VAULT_X = [...addedVaults][addedVaults.size - 1]
-    const DOTENV_KEY_X = DOTENV_VAULT_X.replace('_VAULT_', '_KEY_')
-    const tryKey = dotenvKeys[DOTENV_KEY_X] || '<dotenv_key_environment>'
-
-    logger.help2(`ℹ run [DOTENV_KEY='${tryKey}' dotenvx run -- yourcommand] to test decryption locally`)
-  }
 }
 
 module.exports = encrypt

package/src/cli/dotenvx.js

@@ -5,7 +5,6 @@ const { Command } = require('commander')
 const program = new Command()
 
 const logger = require('./../shared/logger')
-const helpers = require('./helpers')
 const examples = require('./examples')
 const packageJson = require('./../shared/packageJson')
 
@@ -64,7 +63,8 @@ program.command('run')
 program.command('encrypt')
   .description('encrypt .env.* to .env.vault')
   .addHelpText('after', examples.encrypt)
-  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', helpers.findEnvFiles('./'))
+  .argument('[directory]', 'directory to encrypt', '.')
+  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
   .action(require('./actions/encrypt'))
 
 // dotenvx decrypt

package/src/lib/helpers/dotenvKeys.js

@@ -0,0 +1,68 @@
+const path = require('path')
+const crypto = require('crypto')
+
+class DotenvKeys {
+  constructor (envFilepaths = [], dotenvKeys = {}) {
+    this.envFilepaths = envFilepaths // pass .env* filepaths to be encrypted
+    this.dotenvKeys = dotenvKeys // pass current parsed dotenv keys from .env.keys file
+  }
+
+  run () {
+    const addedKeys = new Set()
+    const existingKeys = new Set()
+
+    for (const filepath of this.envFilepaths) {
+      const environment = this._guessEnvironment(filepath)
+      const key = `DOTENV_KEY_${environment.toUpperCase()}`
+
+      let value = this.dotenvKeys[key]
+
+      // first time seeing new DOTENV_KEY_${environment}
+      if (!value || value.length === 0) {
+        value = this._generateDotenvKey(environment)
+
+        this.dotenvKeys[key] = value
+
+        addedKeys.add(key) // for info logging to user
+      } else {
+        existingKeys.add(key) // for info logging to user
+      }
+    }
+
+    let keysData = `#/!!!!!!!!!!!!!!!!!!!.env.keys!!!!!!!!!!!!!!!!!!!!!!/
+#/   DOTENV_KEYs. DO NOT commit to source control   /
+#/   [how it works](https://dotenvx.com/env-keys)   /
+#/--------------------------------------------------/\n`
+
+    for (const [key, value] of Object.entries(this.dotenvKeys)) {
+      keysData += `${key}="${value}"\n`
+    }
+
+    return {
+      dotenvKeys: this.dotenvKeys,
+      dotenvKeysFile: keysData,
+      addedKeys: [...addedKeys], // return set as array
+      existingKeys: [...existingKeys] // return set as array
+    }
+  }
+
+  _guessEnvironment (filepath) {
+    const filename = path.basename(filepath)
+    const parts = filename.split('.')
+    const possibleEnvironment = parts[2] // ['', 'env', environment', 'previous']
+
+    if (!possibleEnvironment || possibleEnvironment.length === 0) {
+      return 'development'
+    }
+
+    return possibleEnvironment
+  }
+
+  _generateDotenvKey (environment) {
+    const rand = crypto.randomBytes(32).toString('hex')
+
+    return `dotenv://:key_${rand}@dotenvx.com/vault/.env.vault?environment=${environment.toLowerCase()}`
+  }
+}
+
+module.exports = DotenvKeys

package/src/lib/helpers/dotenvVault.js

@@ -0,0 +1,151 @@
+const path = require('path')
+const crypto = require('crypto')
+const xxhash = require('xxhashjs')
+const dotenv = require('dotenv')
+
+const XXHASH_SEED = 0xABCD
+const NONCE_BYTES = 12
+
+class DotenvVault {
+  constructor (dotenvFiles = {}, dotenvKeys = {}, dotenvVaults = {}) {
+    this.dotenvFiles = dotenvFiles // key: filepath and value: filecontent
+    this.dotenvKeys = dotenvKeys // pass current parsed dotenv keys from .env.keys
+    this.dotenvVaults = dotenvVaults // pass current parsed dotenv vaults from .env.vault
+  }
+
+  run () {
+    const addedVaults = new Set()
+    const existingVaults = new Set()
+    const addedDotenvFilenames = new Set()
+
+    for (const [filepath, raw] of Object.entries(this.dotenvFiles)) {
+      const environment = this._guessEnvironment(filepath)
+      const vault = `DOTENV_VAULT_${environment.toUpperCase()}`
+
+      let ciphertext = this.dotenvVaults[vault]
+      const dotenvKey = this.dotenvKeys[`DOTENV_KEY_${environment.toUpperCase()}`]
+
+      if (!ciphertext || ciphertext.length === 0 || this._changed(dotenvKey, ciphertext, raw)) {
+        ciphertext = this._encrypt(dotenvKey, raw)
+        this.dotenvVaults[vault] = ciphertext
+        addedVaults.add(vault) // for info logging to user
+
+        addedDotenvFilenames.add(path.basename(filepath)) // for info logging to user
+      } else {
+        existingVaults.add(vault) // for info logging to user
+      }
+    }
+
+    let vaultData = `#/-------------------.env.vault---------------------/
+#/         cloud-agnostic vaulting standard         /
+#/   [how it works](https://dotenvx.com/env-vault)  /
+#/--------------------------------------------------/\n\n`
+
+    for (const [vault, value] of Object.entries(this.dotenvVaults)) {
+      const environment = vault.replace('DOTENV_VAULT_', '').toLowerCase()
+      vaultData += `# ${environment}\n`
+      vaultData += `${vault}="${value}"\n\n`
+    }
+
+    return {
+      dotenvVaultFile: vaultData,
+      addedVaults: [...addedVaults], // return set as array
+      existingVaults: [...existingVaults], // return set as array
+      addedDotenvFilenames: [...addedDotenvFilenames] // return set as array
+    }
+  }
+
+  _guessEnvironment (filepath) {
+    const filename = path.basename(filepath)
+    const parts = filename.split('.')
+    const possibleEnvironment = parts[2] // ['', 'env', environment', 'previous']
+
+    if (!possibleEnvironment || possibleEnvironment.length === 0) {
+      return 'development'
+    }
+
+    return possibleEnvironment
+  }
+
+  _changed (dotenvKey, ciphertext, raw) {
+    const decrypted = this._decrypt(dotenvKey, ciphertext)
+
+    return this._hash(decrypted) !== this._hash(raw)
+  }
+
+  _encrypt (dotenvKey, raw) {
+    const key = this._parseEncryptionKeyFromDotenvKey(dotenvKey)
+
+    // set up nonce
+    const nonce = crypto.randomBytes(NONCE_BYTES)
+
+    // set up cipher
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, nonce)
+
+    // generate ciphertext
+    let ciphertext = ''
+    ciphertext += cipher.update(raw, 'utf8', 'hex')
+    ciphertext += cipher.final('hex')
+    ciphertext += cipher.getAuthTag().toString('hex')
+
+    // prepend nonce
+    ciphertext = nonce.toString('hex') + ciphertext
+
+    // base64 encode output
+    return Buffer.from(ciphertext, 'hex').toString('base64')
+  }
+
+  _decrypt (dotenvKey, ciphertext) {
+    const key = this._parseEncryptionKeyFromDotenvKey(dotenvKey)
+
+    try {
+      return dotenv.decrypt(ciphertext, key)
+    } catch (e) {
+      const decryptionFailedError = new Error('[DECRYPTION_FAILED] Unable to decrypt .env.vault with DOTENV_KEY.')
+      decryptionFailedError.code = 'DECRYPTION_FAILED'
+      decryptionFailedError.help = '[DECRYPTION_FAILED] Run with debug flag [dotenvx run --debug -- yourcommand] or manually run [echo $DOTENV_KEY] to compare it to the one in .env.keys.'
+      decryptionFailedError.debug = `[DECRYPTION_FAILED] DOTENV_KEY is ${dotenvKey}`
+
+      switch (e.code) {
+        case 'DECRYPTION_FAILED':
+          throw decryptionFailedError
+        default:
+          throw e
+      }
+    }
+  }
+
+  _parseEncryptionKeyFromDotenvKey (dotenvKey) {
+    // Parse DOTENV_KEY. Format is a URI
+    let uri
+    try {
+      uri = new URL(dotenvKey)
+    } catch (e) {
+      const code = 'INVALID_DOTENV_KEY'
+      const message = `INVALID_DOTENV_KEY: ${e.message}`
+      const error = new Error(message)
+      error.code = code
+
+      throw error
+    }
+
+    // Get decrypt key
+    const key = uri.password
+    if (!key) {
+      const code = 'INVALID_DOTENV_KEY'
+      const message = 'INVALID_DOTENV_KEY: Missing key part'
+      const error = new Error(message)
+      error.code = code
+
+      throw error
+    }
+
+    return Buffer.from(key.slice(-64), 'hex')
+  }
+
+  _hash (str) {
+    return xxhash.h32(str, XXHASH_SEED).toString(16)
+  }
+}
+
+module.exports = DotenvVault

package/src/lib/main.js

@@ -3,6 +3,7 @@ const dotenv = require('dotenv')
 const dotenvExpand = require('dotenv-expand')
 
 // services
+const Encrypt = require('./services/encrypt')
 const Ls = require('./services/ls')
 
 const config = function (options) {
@@ -105,6 +106,10 @@ const inject = function (processEnv = {}, parsed = {}, overload = false) {
   }
 }
 
+const encrypt = function (directory, envFile) {
+  return new Encrypt(directory, envFile).run()
+}
+
 const ls = function (directory, envFile) {
   return new Ls(directory, envFile).run()
 }
@@ -116,5 +121,6 @@ module.exports = {
   parse,
   parseExpand,
   inject,
-  ls
+  ls,
+  encrypt
 }

package/src/lib/services/encrypt.js

@@ -0,0 +1,115 @@
+const fs = require('fs')
+const path = require('path')
+const dotenv = require('dotenv')
+
+const DotenvKeys = require('./../helpers/dotenvKeys')
+const DotenvVault = require('./../helpers/dotenvVault')
+
+const ENCODING = 'utf8'
+
+class Encrypt {
+  constructor (directory = '.', envFile = '.env') {
+    this.directory = directory
+    this.envFile = envFile
+    // calculated
+    this.envKeysFilepath = path.resolve(this.directory, '.env.keys')
+    this.envVaultFilepath = path.resolve(this.directory, '.env.vault')
+  }
+
+  run () {
+    if (this.envFile.length < 1) {
+      const code = 'MISSING_ENV_FILES'
+      const message = 'no .env* files found'
+      const help = '? add one with [echo "HELLO=World" > .env] and then run [dotenvx encrypt]'
+
+      const error = new Error(message)
+      error.code = code
+      error.help = help
+      throw error
+    }
+
+    const parsedDotenvKeys = this._parsedDotenvKeys()
+    const parsedDotenvVaults = this._parsedDotenvVault()
+    const envFilepaths = this._envFilepaths()
+
+    // build filepaths to be passed to DotenvKeys
+    const uniqueEnvFilepaths = new Set()
+    for (const envFilepath of envFilepaths) {
+      const filepath = path.resolve(this.directory, envFilepath)
+      if (!fs.existsSync(filepath)) {
+        const code = 'MISSING_ENV_FILE'
+        const message = `file does not exist at [${filepath}]`
+        const help = `? add it with [echo "HELLO=World" > ${envFilepath}] and then run [dotenvx encrypt]`
+
+        const error = new Error(message)
+        error.code = code
+        error.help = help
+        throw error
+      }
+
+      uniqueEnvFilepaths.add(filepath)
+    }
+
+    // generate .env.keys string
+    const {
+      dotenvKeys,
+      dotenvKeysFile,
+      addedKeys,
+      existingKeys
+    } = new DotenvKeys([...uniqueEnvFilepaths], parsedDotenvKeys).run()
+
+    // build look up of .env filepaths and their raw content
+    const dotenvFiles = {}
+    for (const filepath of [...uniqueEnvFilepaths]) {
+      const raw = fs.readFileSync(filepath, ENCODING)
+      dotenvFiles[filepath] = raw
+    }
+
+    // generate .env.vault string
+    const {
+      dotenvVaultFile,
+      addedVaults,
+      existingVaults,
+      addedDotenvFilenames
+    } = new DotenvVault(dotenvFiles, dotenvKeys, parsedDotenvVaults).run()
+
+    return {
+      // from DotenvKeys
+      dotenvKeys,
+      dotenvKeysFile,
+      addedKeys,
+      existingKeys,
+      // from DotenvVault
+      dotenvVaultFile,
+      addedVaults,
+      existingVaults,
+      addedDotenvFilenames
+    }
+  }
+
+  _envFilepaths () {
+    if (!Array.isArray(this.envFile)) {
+      return [this.envFile]
+    }
+
+    return this.envFile
+  }
+
+  _parsedDotenvKeys () {
+    const options = {
+      path: this.envKeysFilepath
+    }
+
+    return dotenv.configDotenv(options).parsed
+  }
+
+  _parsedDotenvVault () {
+    const options = {
+      path: this.envVaultFilepath
+    }
+
+    return dotenv.configDotenv(options).parsed
+  }
+}
+
+module.exports = Encrypt