@dotenvx/dotenvx 0.3.8 → 0.4.0

package/README.md

@@ -94,7 +94,7 @@ More examples
   ```sh
   FROM node:latest
   RUN echo "HELLO=World" > .env && echo "console.log('Hello ' + process.env.HELLO)" > index.js
-  RUN curl -sfS https://dotenvx.sh/! | bash
+  RUN curl -fsS https://dotenvx.sh/ | sh
   CMD ["dotenvx", "run", "--", "echo", "Hello $HELLO"]
   ```
 
@@ -157,7 +157,12 @@ $ dotenvx run --env-file=.env.local --env-file=.env -- node index.js
 
 ## Encrypt Your Env Files
 
-WIP
+```
+dotenvx encrypt
+```
+
+> This will encrypt your `.env` file to a `.env.vault` file. Commit your `.env.vault` file safely to code.
+> This will also generate a `.env.keys` file. Do NOT commit this file to code. Keep your `.env.keys` secret. 🤫
 
  
 
@@ -273,14 +278,12 @@ npm i @dotenvx/dotenvx --save
 3. Or download it directly as a standalone binary:
 
 ```sh
-curl -sfS https://dotenvx.sh/! | sh
+curl -fsS https://dotenvx.sh/ | sh
 ```
 
-Remove the `!` to install where you prefer. (the `!` downloads directly into `/usr/local/bin/`)
-
 ```sh
 # download it to `./dotenvx`
-curl -sfS https://dotenvx.sh/ | sh
+curl -fsS https://dotenvx.sh/ | sh
 
 # check it works
 ./dotenvx help

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.3.8",
+  "version": "0.4.0",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",
@@ -26,7 +26,8 @@
   "dependencies": {
     "commander": "^11.1.0",
     "dotenv": "^16.3.1",
-    "winston": "^3.11.0"
+    "winston": "^3.11.0",
+    "xxhashjs": "^0.2.2"
   },
   "devDependencies": {
     "jest": "^29.7.0",

package/src/cli/dotenvx.js

@@ -2,6 +2,7 @@
 
 const fs = require('fs')
 const { Command } = require('commander')
+const dotenv = require('dotenv')
 const program = new Command()
 
 // constants
@@ -23,7 +24,7 @@ program
 
     if (options.logLevel) {
       logger.level = options.logLevel
-      logger.debug(`Setting log level to ${options.logLevel}`)
+      logger.debug(`setting log level to ${options.logLevel}`)
     }
 
     // --quiet overides --log-level. only errors will be shown
@@ -48,14 +49,14 @@ program
   .description(packageJson.description)
   .version(packageJson.version)
 
+// dotenvx run -- node index.js
 program.command('run')
   .description('inject env variables into your application process')
-  .option('-f, --env-file <paths...>', 'path to your env file', '.env')
+  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', '.env')
   .option('-o, --overload', 'override existing env variables')
   .action(function () {
-    // injecting 1 environment variable from ${options.envFile}
     const options = this.opts()
-    logger.debug('Configuring options')
+    logger.debug('configuring options')
     logger.debug(options)
 
     // convert to array if needed
@@ -65,33 +66,39 @@ program.command('run')
     }
 
     const env = {}
+    const readableFilepaths = new Set()
+    const written = new Set()
 
     for (const envFilepath of optionEnvFile) {
       const filepath = helpers.resolvePath(envFilepath)
 
-      logger.verbose(`Loading env from ${filepath}`)
+      logger.verbose(`injecting env from ${filepath}`)
 
       try {
-        logger.debug(`Reading env from ${filepath}`)
+        logger.debug(`reading env from ${filepath}`)
         const src = fs.readFileSync(filepath, { encoding: ENCODING })
 
-        logger.debug(`Parsing env from ${filepath}`)
+        logger.debug(`parsing env from ${filepath}`)
         const parsed = main.parse(src)
 
-        logger.debug(`Populating env from ${filepath}`)
-        main.populate(process.env, parsed, { debug: (logger.level === 'debug'), override: options.overload })
+        logger.debug(`writing env from ${filepath}`)
+        const result = main.write(process.env, parsed, options.overload)
+
+        readableFilepaths.add(envFilepath)
+        result.written.forEach(key => written.add(key))
       } catch (e) {
         logger.warn(e)
       }
     }
 
-    logger.info('Injecting X environment variables into your application process')
+    if (readableFilepaths.size > 0) {
+      logger.info(`injecting ${written.size} environment ${helpers.pluralize('variable', written.size)} from ${[...readableFilepaths]}`)
+    }
 
     // Extract command and arguments after '--'
     const commandIndex = process.argv.indexOf('--')
     if (commandIndex === -1 || commandIndex === process.argv.length - 1) {
-      logger.error('At least one argument is required after the run command, received 0.')
-      logger.error('Exiting')
+      logger.error('at least one argument is required after the run command, received 0.')
       process.exit(1)
     } else {
       const subCommand = process.argv.slice(commandIndex + 1)
@@ -100,4 +107,112 @@ program.command('run')
     }
   })
 
+// dotenvx encrypt
+program.command('encrypt')
+  .description('encrypt .env.* to .env.vault')
+  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', helpers.findEnvFiles('./'))
+  .action(function () {
+    const options = this.opts()
+    logger.debug('configuring options')
+    logger.debug(options)
+
+    let optionEnvFile = options.envFile
+    if (!Array.isArray(optionEnvFile)) {
+      optionEnvFile = [optionEnvFile]
+    }
+
+    try {
+      logger.verbose(`generating .env.keys from ${optionEnvFile}`)
+
+      const dotenvKeys = (dotenv.configDotenv({ path: '.env.keys' }).parsed || {})
+
+      for (const envFilepath of optionEnvFile) {
+        const filepath = helpers.resolvePath(envFilepath)
+        if (!fs.existsSync(filepath)) {
+          throw new Error(`file does not exist: ${filepath}`)
+        }
+
+        const environment = helpers.guessEnvironment(filepath)
+        const key = `DOTENV_KEY_${environment.toUpperCase()}`
+
+        let value = dotenvKeys[key]
+
+        // first time seeing new DOTENV_KEY_${environment}
+        if (!value || value.length === 0) {
+          logger.verbose(`generating ${key}`)
+          value = helpers.generateDotenvKey(environment)
+          logger.debug(`generating ${key} as ${value}`)
+
+          dotenvKeys[key] = value
+        } else {
+          logger.verbose(`existing ${key}`)
+          logger.debug(`existing ${key} as ${value}`)
+        }
+      }
+
+      let keysData = `#/!!!!!!!!!!!!!!!!!!!.env.keys!!!!!!!!!!!!!!!!!!!!!!/
+  #/   DOTENV_KEYs. DO NOT commit to source control   /
+  #/   [how it works](https://dotenv.org/env-keys)    /
+  #/--------------------------------------------------/\n`
+
+      for (const key in dotenvKeys) {
+        const value = dotenvKeys[key]
+        keysData += `${key}="${value}"\n`
+      }
+
+      fs.writeFileSync('.env.keys', keysData)
+    } catch (e) {
+      logger.error(e)
+      process.exit(1)
+    }
+
+    try {
+      logger.verbose(`generating .env.vault from ${optionEnvFile}`)
+
+      const dotenvKeys = (dotenv.configDotenv({ path: '.env.keys' }).parsed || {})
+      const dotenvVaults = (dotenv.configDotenv({ path: '.env.vault' }).parsed || {})
+
+      for (const envFilepath of optionEnvFile) {
+        const filepath = helpers.resolvePath(envFilepath)
+        const environment = helpers.guessEnvironment(filepath)
+        const vault = `DOTENV_VAULT_${environment.toUpperCase()}`
+
+        let ciphertext = dotenvVaults[vault]
+        const dotenvKey = dotenvKeys[`DOTENV_KEY_${environment.toUpperCase()}`]
+
+        if (!ciphertext || ciphertext.length === 0 || helpers.changed(ciphertext, dotenvKey, filepath, ENCODING)) {
+          logger.verbose(`encrypting ${vault}`)
+          ciphertext = helpers.encryptFile(filepath, dotenvKey, ENCODING)
+          logger.verbose(`encrypting ${vault} as ${ciphertext}`)
+
+          dotenvVaults[vault] = ciphertext
+        } else {
+          logger.verbose(`existing ${vault}`)
+          logger.debug(`existing ${vault} as ${ciphertext}`)
+        }
+      }
+
+      let vaultData = `#/-------------------.env.vault---------------------/
+#/         cloud-agnostic vaulting standard         /
+#/   [how it works](https://dotenv.org/env-vault)   /
+#/--------------------------------------------------/\n\n`
+
+      for (const vault in dotenvVaults) {
+        const value = dotenvVaults[vault]
+        const environment = vault.replace('DOTENV_VAULT_', '').toLowerCase()
+        vaultData += `# ${environment}\n`
+        vaultData += `${vault}="${value}"\n\n`
+      }
+
+      fs.writeFileSync('.env.vault', vaultData)
+    } catch (e) {
+      logger.error(e)
+      process.exit(1)
+    }
+
+    logger.info(`encrypted ${optionEnvFile} to .env.vault`)
+
+    // logger.info(`encrypting`)
+  })
+
 program.parse(process.argv)

package/src/cli/helpers.js

@@ -1,5 +1,13 @@
+const fs = require('fs')
 const path = require('path')
+const crypto = require('crypto')
 const { spawn } = require('child_process')
+const xxhash = require('xxhashjs')
+const XXHASH_SEED = 0xABCD
+
+const main = require('./../lib/main')
+
+const RESERVED_ENV_FILES = ['.env.vault', '.env.projects', '.env.keys', '.env.me', '.env.x']
 
 // resolve path based on current running process location
 const resolvePath = function (filepath) {
@@ -22,7 +30,118 @@ const executeCommand = function (subCommand, env) {
   })
 }
 
+const pluralize = function (word, count) {
+  // simple pluralization: add 's' at the end
+  if (count === 0 || count > 1) {
+    return word + 's'
+  } else {
+    return word
+  }
+}
+
+const findEnvFiles = function (directory) {
+  const files = fs.readdirSync(directory)
+
+  const envFiles = files.filter(file =>
+    file.startsWith('.env') &&
+    !file.endsWith('.previous') &&
+    !RESERVED_ENV_FILES.includes(file)
+  )
+
+  return envFiles
+}
+
+const guessEnvironment = function (file) {
+  const splitFile = file.split('.')
+  const possibleEnvironment = splitFile[2] // ['', 'env', environment']
+
+  if (!possibleEnvironment || possibleEnvironment.length === 0) {
+    return 'development'
+  }
+
+  return possibleEnvironment
+}
+
+const generateDotenvKey = function (environment) {
+  const rand = crypto.randomBytes(32).toString('hex')
+
+  return `dotenv://:key_${rand}@dotenvx.com/vault/.env.vault?environment=${environment.toLowerCase()}`
+}
+
+const encryptFile = function (filepath, dotenvKey, encoding) {
+  const key = this._parseEncryptionKeyFromDotenvKey(dotenvKey)
+  const message = fs.readFileSync(filepath, encoding)
+
+  const ciphertext = this.encrypt(key, message)
+
+  return ciphertext
+}
+
+const encrypt = function (key, message) {
+  // set up nonce
+  const nonce = this._generateNonce()
+
+  // set up cipher
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, nonce)
+
+  // generate ciphertext
+  let ciphertext = ''
+  ciphertext += cipher.update(message, 'utf8', 'hex')
+  ciphertext += cipher.final('hex')
+  ciphertext += cipher.getAuthTag().toString('hex')
+
+  // prepend nonce
+  ciphertext = nonce.toString('hex') + ciphertext
+
+  // base64 encode output
+  return Buffer.from(ciphertext, 'hex').toString('base64')
+}
+
+const changed = function (ciphertext, dotenvKey, filepath, encoding) {
+  const key = this._parseEncryptionKeyFromDotenvKey(dotenvKey)
+  const decrypted = main.decrypt(ciphertext, key)
+  const raw = fs.readFileSync(filepath, encoding)
+
+  return this.hash(decrypted) !== this.hash(raw)
+}
+
+const hash = function (str) {
+  return xxhash.h32(str, XXHASH_SEED).toString(16)
+}
+
+const _parseEncryptionKeyFromDotenvKey = function (dotenvKey) {
+  // Parse DOTENV_KEY. Format is a URI
+  const uri = new URL(dotenvKey)
+
+  // Get decrypt key
+  const key = uri.password
+  if (!key) {
+    throw new Error('INVALID_DOTENV_KEY: Missing key part')
+  }
+
+  return Buffer.from(key.slice(-64), 'hex')
+}
+
+const _generateNonce = function () {
+  return crypto.randomBytes(this._nonceBytes())
+}
+
+const _nonceBytes = function () {
+  return 12
+}
+
 module.exports = {
   resolvePath,
-  executeCommand
+  executeCommand,
+  pluralize,
+  findEnvFiles,
+  guessEnvironment,
+  generateDotenvKey,
+  encryptFile,
+  encrypt,
+  changed,
+  hash,
+  _parseEncryptionKeyFromDotenvKey,
+  _generateNonce,
+  _nonceBytes
 }

package/src/lib/main.js

@@ -5,6 +5,10 @@ const config = function (options) {
   return dotenv.config(options)
 }
 
+const decrypt = function (encrypted, keyStr) {
+  return dotenv.decrypt(encrypted, keyStr)
+}
+
 const parse = function (src) {
   const result = dotenv.parse(src)
 
@@ -13,16 +17,47 @@ const parse = function (src) {
   return result
 }
 
-const populate = function (processEnv, parsed, options = {}) {
-  const result = dotenv.populate(processEnv, parsed, options = {})
-
-  logger.debug(process.env)
-
-  return result
+const write = function (processEnv = {}, parsed = {}, overload = false) {
+  if (typeof parsed !== 'object') {
+    throw new Error('OBJECT_REQUIRED: Please check the parsed argument being passed to write')
+  }
+
+  const written = new Set()
+  const preExisting = new Set()
+
+  // set processEnv
+  for (const key of Object.keys(parsed)) {
+    if (Object.prototype.hasOwnProperty.call(processEnv, key)) {
+      if (overload === true) {
+        processEnv[key] = parsed[key]
+        written.add(key)
+
+        logger.verbose(`${key} set`)
+        logger.debug(`${key} set to ${parsed[key]}`)
+      } else {
+        preExisting.add(key)
+
+        logger.verbose(`${key} pre-exists`)
+        logger.debug(`${key} pre-exists as ${processEnv[key]}`)
+      }
+    } else {
+      processEnv[key] = parsed[key]
+      written.add(key)
+
+      logger.verbose(`${key} set`)
+      logger.debug(`${key} set to ${parsed[key]}`)
+    }
+  }
+
+  return {
+    written,
+    preExisting
+  }
 }
 
 module.exports = {
   config,
+  decrypt,
   parse,
-  populate
+  write
 }

package/src/shared/logger.js

@@ -7,10 +7,14 @@ const transports = winston.transports
 
 const packageJson = require('./packageJson')
 
+function pad (word) {
+  return word.padEnd(9, ' ')
+}
+
 const dotenvxFormat = printf(({ level, message, label, timestamp }) => {
   const formattedMessage = typeof message === 'object' ? JSON.stringify(message) : message
 
-  return `[dotenvx@${packageJson.version}][${level.toUpperCase()}] ${formattedMessage}`
+  return `[dotenvx@${packageJson.version}]${pad(`[${level.toUpperCase()}]`)} ${formattedMessage}`
 })
 
 const logger = createLogger({