@dotenvx/dotenvx 1.19.3 → 1.20.0

package/src/lib/services/decrypt.js

@@ -3,113 +3,114 @@ const path = require('path')
 const dotenv = require('dotenv')
 const picomatch = require('picomatch')
 
-const smartDotenvPrivateKey = require('./../helpers/smartDotenvPrivateKey')
+const TYPE_ENV_FILE = 'envFile'
+
 const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
+const findPrivateKey = require('./../helpers/findPrivateKey')
 const decryptValue = require('./../helpers/decryptValue')
 const isEncrypted = require('./../helpers/isEncrypted')
 const replace = require('./../helpers/replace')
+const detectEncoding = require('./../helpers/detectEncoding')
+const determineEnvs = require('./../helpers/determineEnvs')
 
 class Decrypt {
-  /**
-   * @param {string|string[]} [envFile]
-   * @param {string|string[]} [key]
-   * @param {string|string[]} [excludeKey]
-   **/
-  constructor (envFile = '.env', key = [], excludeKey = []) {
-    this.envFile = envFile
+  constructor (envs = [], key = [], excludeKey = []) {
+    this.envs = determineEnvs(envs, process.env)
     this.key = key
     this.excludeKey = excludeKey
-    this.processedEnvFiles = []
+
+    this.processedEnvs = []
     this.changedFilepaths = new Set()
     this.unchangedFilepaths = new Set()
   }
 
   run () {
-    const envFilepaths = this._envFilepaths()
-    const keys = this._keys()
+    // example
+    // envs [
+    //   { type: 'envFile', value: '.env' }
+    // ]
+
+    this.keys = this._keys()
     const excludeKeys = this._excludeKeys()
-    const exclude = picomatch(excludeKeys)
-    const include = picomatch(keys, { ignore: excludeKeys })
-
-    for (const envFilepath of envFilepaths) {
-      const filepath = path.resolve(envFilepath)
-
-      const row = {}
-      row.keys = []
-      row.filepath = filepath
-      row.envFilepath = envFilepath
-
-      try {
-        // get the src
-        let src = fsx.readFileX(filepath)
-
-        // if DOTENV_PRIVATE_KEY_* already set in process.env then use it
-        const privateKey = smartDotenvPrivateKey(envFilepath)
-        row.privateKey = privateKey
-        row.privateKeyName = guessPrivateKeyName(filepath)
-
-        // track possible changes
-        row.changed = false
-
-        // iterate over all non-encrypted values and encrypt them
-        const parsed = dotenv.parse(src)
-        for (const [key, value] of Object.entries(parsed)) {
-          // key excluded - don't decrypt it
-          if (exclude(key)) {
-            continue
-          }
-
-          // key effectively excluded (by not being in the list of includes) - don't encrypt it
-          if (keys.length > 0 && !include(key)) {
-            continue
-          }
-
-          const encrypted = isEncrypted(key, value)
-          if (encrypted) {
-            row.keys.push(key) // track key(s)
-
-            const decryptedValue = decryptValue(value, privateKey)
-            // once newSrc is built write it out
-            src = replace(src, key, decryptedValue)
-
-            row.changed = true // track change
-          }
-        }
 
-        if (row.changed) {
-          row.envSrc = src
-          this.changedFilepaths.add(envFilepath)
-        } else {
-          row.envSrc = src
-          this.unchangedFilepaths.add(envFilepath)
-        }
-      } catch (e) {
-        if (e.code === 'ENOENT') {
-          const error = new Error(`missing ${envFilepath} file (${filepath})`)
-          error.code = 'MISSING_ENV_FILE'
-
-          row.error = error
-        } else {
-          row.error = e
-        }
-      }
+    this.exclude = picomatch(excludeKeys)
+    this.include = picomatch(this.keys, { ignore: excludeKeys })
 
-      this.processedEnvFiles.push(row)
+    for (const env of this.envs) {
+      if (env.type === TYPE_ENV_FILE) {
+        this._decryptEnvFile(env.value)
+      }
     }
 
     return {
-      processedEnvFiles: this.processedEnvFiles,
+      processedEnvs: this.processedEnvs,
       changedFilepaths: [...this.changedFilepaths],
       unchangedFilepaths: [...this.unchangedFilepaths]
     }
   }
 
-  _envFilepaths () {
-    if (!Array.isArray(this.envFile)) {
-      return [this.envFile]
+  _decryptEnvFile (envFilepath) {
+    const row = {}
+    row.keys = []
+    row.type = TYPE_ENV_FILE
+
+    const filepath = path.resolve(envFilepath)
+    row.filepath = filepath
+    row.envFilepath = envFilepath
+
+    try {
+      const encoding = this._detectEncoding(filepath)
+      let envSrc = fsx.readFileX(filepath, { encoding })
+      const envParsed = dotenv.parse(envSrc)
+
+      const privateKey = findPrivateKey(envFilepath)
+      const privateKeyName = guessPrivateKeyName(envFilepath)
+
+      row.privateKey = privateKey
+      row.privateKeyName = privateKeyName
+      row.changed = false // track possible changes
+
+      for (const [key, value] of Object.entries(envParsed)) {
+        // key excluded - don't decrypt it
+        if (this.exclude(key)) {
+          continue
+        }
+
+        // key effectively excluded (by not being in the list of includes) - don't decrypt it
+        if (this.keys.length > 0 && !this.include(key)) {
+          continue
+        }
+
+        const encrypted = isEncrypted(value)
+        if (encrypted) {
+          row.keys.push(key) // track key(s)
+
+          const decryptedValue = decryptValue(value, privateKey)
+          // once newSrc is built write it out
+          envSrc = replace(envSrc, key, decryptedValue)
+
+          row.changed = true // track change
+        }
+      }
+
+      row.envSrc = envSrc
+      if (row.changed) {
+        this.changedFilepaths.add(envFilepath)
+      } else {
+        this.unchangedFilepaths.add(envFilepath)
+      }
+    } catch (e) {
+      if (e.code === 'ENOENT') {
+        const error = new Error(`missing ${envFilepath} file (${filepath})`)
+        error.code = 'MISSING_ENV_FILE'
+
+        row.error = error
+      } else {
+        row.error = e
+      }
     }
 
-    return this.envFile
+    this.processedEnvs.push(row)
   }
 
   _keys () {
@@ -127,6 +128,10 @@ class Decrypt {
 
     return this.excludeKey
   }
+
+  _detectEncoding (filepath) {
+    return detectEncoding(filepath)
+  }
 }
 
 module.exports = Decrypt

package/src/lib/services/encrypt.js

@@ -3,127 +3,194 @@ const path = require('path')
 const dotenv = require('dotenv')
 const picomatch = require('picomatch')
 
-const findOrCreatePublicKey = require('./../helpers/findOrCreatePublicKey')
+const TYPE_ENV_FILE = 'envFile'
+
 const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
+const guessPublicKeyName = require('./../helpers/guessPublicKeyName')
 const encryptValue = require('./../helpers/encryptValue')
 const isEncrypted = require('./../helpers/isEncrypted')
-const isPublicKey = require('./../helpers/isPublicKey')
 const replace = require('./../helpers/replace')
+const detectEncoding = require('./../helpers/detectEncoding')
+const determineEnvs = require('./../helpers/determineEnvs')
+const findPrivateKey = require('./../helpers/findPrivateKey')
+const findPublicKey = require('./../helpers/findPublicKey')
+const keyPair = require('./../helpers/keyPair')
+const truncate = require('./../helpers/truncate')
+const isPublicKey = require('./../helpers/isPublicKey')
 
 class Encrypt {
-  /**
-   * @param {string|string[]} [envFile]
-   * @param {string|string[]} [key]
-   * @param {string|string[]} [excludeKey]
-   **/
-  constructor (envFile = '.env', key = [], excludeKey = []) {
-    this.envFile = envFile
+  constructor (envs = [], key = [], excludeKey = []) {
+    this.envs = determineEnvs(envs, process.env)
     this.key = key
     this.excludeKey = excludeKey
-    this.processedEnvFiles = []
+
+    this.processedEnvs = []
     this.changedFilepaths = new Set()
     this.unchangedFilepaths = new Set()
   }
 
   run () {
-    const envFilepaths = this._envFilepaths()
-    const keys = this._keys()
+    // example
+    // envs [
+    //   { type: 'envFile', value: '.env' }
+    // ]
+
+    this.keys = this._keys()
     const excludeKeys = this._excludeKeys()
-    const exclude = picomatch(excludeKeys)
-    const include = picomatch(keys, { ignore: excludeKeys })
 
-    for (const envFilepath of envFilepaths) {
-      const filepath = path.resolve(envFilepath)
+    this.exclude = picomatch(excludeKeys)
+    this.include = picomatch(this.keys, { ignore: excludeKeys })
 
-      const row = {}
-      row.keys = []
-      row.filepath = filepath
-      row.envFilepath = envFilepath
+    for (const env of this.envs) {
+      if (env.type === TYPE_ENV_FILE) {
+        this._encryptEnvFile(env.value)
+      }
+    }
+
+    return {
+      processedEnvs: this.processedEnvs,
+      changedFilepaths: [...this.changedFilepaths],
+      unchangedFilepaths: [...this.unchangedFilepaths]
+    }
+  }
 
-      try {
-        // get the original src
-        let src = fsx.readFileX(filepath)
-        // get/generate the public key
+  _encryptEnvFile (envFilepath) {
+    const row = {}
+    row.keys = []
+    row.type = TYPE_ENV_FILE
+
+    const filename = path.basename(envFilepath)
+    const filepath = path.resolve(envFilepath)
+    row.filepath = filepath
+    row.envFilepath = envFilepath
+
+    try {
+      const encoding = this._detectEncoding(filepath)
+      let envSrc = fsx.readFileX(filepath, { encoding })
+      const envParsed = dotenv.parse(envSrc)
+
+      let publicKey
+      let privateKey
+
+      const publicKeyName = guessPublicKeyName(envFilepath)
+      const privateKeyName = guessPrivateKeyName(envFilepath)
+      const existingPrivateKey = findPrivateKey(envFilepath)
+      const existingPublicKey = findPublicKey(envFilepath)
+
+      if (existingPrivateKey) {
+        const kp = keyPair(existingPrivateKey)
+        publicKey = kp.publicKey
+        privateKey = kp.privateKey
+
+        // if derivation doesn't match what's in the file (or preset in env)
+        if (existingPublicKey && existingPublicKey !== publicKey) {
+          const error = new Error(`derived public key (${truncate(publicKey)}) does not match the existing public key (${truncate(existingPublicKey)})`)
+          error.code = 'INVALID_DOTENV_PRIVATE_KEY'
+          error.help = `debug info: ${privateKeyName}=${truncate(existingPrivateKey)} (derived ${publicKeyName}=${truncate(publicKey)} vs existing ${publicKeyName}=${truncate(existingPublicKey)})`
+          throw error
+        }
+      } else if (existingPublicKey) {
+        publicKey = existingPublicKey
+      } else {
+        // .env.keys
+        let keysSrc = ''
         const envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
-        const {
-          envSrc,
-          keysSrc,
-          publicKey,
-          privateKey,
-          publicKeyAdded,
-          privateKeyAdded
-        } = findOrCreatePublicKey(filepath, envKeysFilepath)
-
-        // handle .env.keys write
-        fsx.writeFileX(envKeysFilepath, keysSrc)
+        if (fsx.existsSync(envKeysFilepath)) {
+          keysSrc = fsx.readFileX(envKeysFilepath)
+        }
 
-        src = envSrc // src was potentially modified by findOrCreatePublicKey so we set it again here
-
-        row.changed = publicKeyAdded // track change
-        row.publicKey = publicKey
-        row.privateKey = privateKey
-        row.privateKeyAdded = privateKeyAdded
-        row.privateKeyName = guessPrivateKeyName(filepath)
-
-        // iterate over all non-encrypted values and encrypt them
-        const parsed = dotenv.parse(src)
-        for (const [key, value] of Object.entries(parsed)) {
-          // key excluded - don't encrypt it
-          if (exclude(key)) {
-            continue
-          }
-
-          // key effectively excluded (by not being in the list of includes) - don't encrypt it
-          if (keys.length > 0 && !include(key)) {
-            continue
-          }
-
-          const encrypted = isEncrypted(key, value) || isPublicKey(key, value)
-          if (!encrypted) {
-            row.keys.push(key) // track key(s)
-
-            const encryptedValue = encryptValue(value, publicKey)
-            // once newSrc is built write it out
-            src = replace(src, key, encryptedValue)
-
-            row.changed = true // track change
-          }
+        // preserve shebang
+        const [firstLine, ...remainingLines] = envSrc.split('\n')
+        let firstLinePreserved = ''
+        if (firstLine.startsWith('#!')) {
+          firstLinePreserved = firstLine + '\n'
+          envSrc = remainingLines.join('\n')
         }
 
-        if (row.changed) {
-          row.envSrc = src
-          this.changedFilepaths.add(envFilepath)
-        } else {
-          row.envSrc = src
-          this.unchangedFilepaths.add(envFilepath)
+        const kp = keyPair() // generates a fresh keypair in memory
+        publicKey = kp.publicKey
+        privateKey = kp.privateKey
+
+        // publicKey
+        const prependPublicKey = [
+          '#/-------------------[DOTENV_PUBLIC_KEY]--------------------/',
+          '#/            public-key encryption for .env files          /',
+          '#/       [how it works](https://dotenvx.com/encryption)     /',
+          '#/----------------------------------------------------------/',
+          `${publicKeyName}="${publicKey}"`,
+          '',
+          `# ${filename}`
+        ].join('\n')
+
+        // privateKey
+        const firstTimeKeysSrc = [
+          '#/------------------!DOTENV_PRIVATE_KEYS!-------------------/',
+          '#/ private decryption keys. DO NOT commit to source control /',
+          '#/     [how it works](https://dotenvx.com/encryption)       /',
+          '#/----------------------------------------------------------/'
+        ].join('\n')
+        const appendPrivateKey = [
+          `# ${filename}`,
+          `${privateKeyName}="${privateKey}"`,
+          ''
+        ].join('\n')
+
+        envSrc = `${firstLinePreserved}${prependPublicKey}\n${envSrc}`
+        keysSrc = keysSrc.length > 1 ? keysSrc : `${firstTimeKeysSrc}\n`
+        keysSrc = `${keysSrc}\n${appendPrivateKey}`
+
+        // write to .env.keys
+        fsx.writeFileX(envKeysFilepath, keysSrc)
+
+        row.privateKeyAdded = true
+      }
+
+      row.publicKey = publicKey
+      row.privateKey = privateKey
+      row.privateKeyName = privateKeyName
+
+      // iterate over all non-encrypted values and encrypt them
+      for (const [key, value] of Object.entries(envParsed)) {
+        // key excluded - don't encrypt it
+        if (this.exclude(key)) {
+          continue
         }
-      } catch (e) {
-        if (e.code === 'ENOENT') {
-          const error = new Error(`missing ${envFilepath} file (${filepath})`)
-          error.code = 'MISSING_ENV_FILE'
-
-          row.error = error
-        } else {
-          row.error = e
+
+        // key effectively excluded (by not being in the list of includes) - don't encrypt it
+        if (this.keys.length > 0 && !this.include(key)) {
+          continue
         }
-      }
 
-      this.processedEnvFiles.push(row)
-    }
+        const encrypted = isEncrypted(value) || isPublicKey(key, value)
+        if (!encrypted) {
+          row.keys.push(key) // track key(s)
 
-    return {
-      processedEnvFiles: this.processedEnvFiles,
-      changedFilepaths: [...this.changedFilepaths],
-      unchangedFilepaths: [...this.unchangedFilepaths]
-    }
-  }
+          const encryptedValue = encryptValue(value, publicKey)
+          // once newSrc is built write it out
+          envSrc = replace(envSrc, key, encryptedValue)
+
+          row.changed = true // track change
+        }
+      }
 
-  _envFilepaths () {
-    if (!Array.isArray(this.envFile)) {
-      return [this.envFile]
+      row.envSrc = envSrc
+      if (row.changed) {
+        this.changedFilepaths.add(envFilepath)
+      } else {
+        this.unchangedFilepaths.add(envFilepath)
+      }
+    } catch (e) {
+      if (e.code === 'ENOENT') {
+        const error = new Error(`missing ${envFilepath} file (${filepath})`)
+        error.code = 'MISSING_ENV_FILE'
+
+        row.error = error
+      } else {
+        row.error = e
+      }
     }
 
-    return this.envFile
+    this.processedEnvs.push(row)
   }
 
   _keys () {
@@ -141,6 +208,10 @@ class Encrypt {
 
     return this.excludeKey
   }
+
+  _detectEncoding (filepath) {
+    return detectEncoding(filepath)
+  }
 }
 
 module.exports = Encrypt

package/src/lib/services/run.js

@@ -1,28 +1,22 @@
 const fsx = require('./../helpers/fsx')
 const path = require('path')
 const dotenv = require('dotenv')
-const childProcess = require('child_process')
 
 const TYPE_ENV = 'env'
 const TYPE_ENV_FILE = 'envFile'
 const TYPE_ENV_VAULT_FILE = 'envVaultFile'
-const DEFAULT_ENVS = [{ type: TYPE_ENV_FILE, value: '.env' }]
-const DEFAULT_ENV_VAULTS = [{ type: TYPE_ENV_VAULT_FILE, value: '.env.vault' }]
 
 const inject = require('./../helpers/inject')
 const decrypt = require('./../helpers/decrypt')
 const parseDecryptEvalExpand = require('./../helpers/parseDecryptEvalExpand')
 const parseEnvironmentFromDotenvKey = require('./../helpers/parseEnvironmentFromDotenvKey')
-const guessPrivateKeyFilename = require('./../helpers/guessPrivateKeyFilename')
-const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
 const detectEncoding = require('./../helpers/detectEncoding')
-
-const Keypair = require('./../services/keypair')
+const findPrivateKey = require('./../helpers/findPrivateKey')
+const determineEnvs = require('./../helpers/determineEnvs')
 
 class Run {
   constructor (envs = [], overload = false, DOTENV_KEY = '', processEnv = process.env) {
-    this.dotenvPrivateKeyNames = Object.keys(processEnv).filter(key => key.startsWith('DOTENV_PRIVATE_KEY')) // important, must be first. used by determineEnvs
-    this.envs = this._determineEnvs(envs, DOTENV_KEY)
+    this.envs = determineEnvs(envs, processEnv, DOTENV_KEY)
     this.overload = overload
     this.DOTENV_KEY = DOTENV_KEY
     this.processEnv = processEnv
@@ -43,7 +37,7 @@ class Run {
     // ]
 
     for (const env of this.envs) {
-      if (env.type === TYPE_ENV_VAULT_FILE) {
+      if (env.type === TYPE_ENV_VAULT_FILE) { // deprecate someday - for deprecated .env.vault files
         this._injectEnvVaultFile(env.value)
       } else if (env.type === TYPE_ENV_FILE) {
         this._injectEnvFile(env.value)
@@ -96,7 +90,7 @@ class Run {
       const src = fsx.readFileX(filepath, { encoding })
       this.readableFilepaths.add(envFilepath)
 
-      const privateKey = this._determinePrivateKey(envFilepath)
+      const privateKey = findPrivateKey(envFilepath)
       const { parsed, processEnv, warnings } = parseDecryptEvalExpand(src, privateKey, this.processEnv)
       row.parsed = parsed
       row.warnings = warnings
@@ -189,61 +183,6 @@ class Run {
     return inject(clonedProcessEnv, parsed, overload, processEnv)
   }
 
-  _determineEnvsFromDotenvPrivateKey () {
-    const envs = []
-
-    for (const privateKeyName of this.dotenvPrivateKeyNames) {
-      const filename = guessPrivateKeyFilename(privateKeyName)
-      envs.push({ type: TYPE_ENV_FILE, value: filename })
-    }
-
-    return envs
-  }
-
-  _determineEnvs (envs = [], DOTENV_KEY = '') {
-    if (!envs || envs.length <= 0) {
-      // if process.env.DOTENV_PRIVATE_KEY or process.env.DOTENV_PRIVATE_KEY_${environment} is set, assume inline encryption methodology
-      if (this.dotenvPrivateKeyNames.length > 0) {
-        return this._determineEnvsFromDotenvPrivateKey()
-      }
-
-      if (DOTENV_KEY.length > 0) {
-        // if DOTENV_KEY is set then default to look for .env.vault file
-        return DEFAULT_ENV_VAULTS
-      } else {
-        return DEFAULT_ENVS // default to .env file expectation
-      }
-    } else {
-      let fileAlreadySpecified = false // can be .env or .env.vault type
-
-      for (const env of envs) {
-        // if DOTENV_KEY set then we are checking if a .env.vault file is already specified
-        if (DOTENV_KEY.length > 0 && env.type === TYPE_ENV_VAULT_FILE) {
-          fileAlreadySpecified = true
-        }
-
-        // if DOTENV_KEY not set then we are checking if a .env file is already specified
-        if (DOTENV_KEY.length <= 0 && env.type === TYPE_ENV_FILE) {
-          fileAlreadySpecified = true
-        }
-      }
-
-      // return early since envs array objects already contain 1 .env.vault or .env file
-      if (fileAlreadySpecified) {
-        return envs
-      }
-
-      // no .env.vault or .env file specified as a flag so we assume either .env.vault (if dotenv key is set) or a .env file
-      if (DOTENV_KEY.length > 0) {
-        // if DOTENV_KEY is set then default to look for .env.vault file
-        return [...DEFAULT_ENV_VAULTS, ...envs]
-      } else {
-        // if no DOTENV_KEY then default to look for .env file
-        return [...DEFAULT_ENVS, ...envs]
-      }
-    }
-  }
-
   // handle scenario for comma separated keys - for use with key rotation
   // example: DOTENV_KEY="dotenv://:key_1234@dotenvx.com/vault/.env.vault?environment=prod,dotenv://:key_7890@dotenvx.com/vault/.env.vault?environment=prod"
   _dotenvKeys () {
@@ -271,29 +210,6 @@ class Run {
 
     return decrypt(ciphertext, dotenvKey)
   }
-
-  _determinePrivateKey (envFilepath) {
-    const privateKeyName = guessPrivateKeyName(envFilepath)
-
-    let privateKey
-    try {
-      // if installed as sibling module
-      const projectRoot = path.resolve(process.cwd())
-      const dotenvxProPath = require.resolve('@dotenvx/dotenvx-pro', { paths: [projectRoot] })
-      const { keypair } = require(dotenvxProPath)
-      privateKey = keypair(envFilepath, privateKeyName)
-    } catch (_e) {
-      try {
-        // if installed as binary cli
-        privateKey = childProcess.execSync(`dotenvx-pro keypair ${privateKeyName} -f ${envFilepath}`, { stdio: ['pipe', 'pipe', 'ignore'] }).toString().trim()
-      } catch (_e) {
-        // fallback to local KeyPair - smart enough to handle process.env, .env.keys, etc
-        privateKey = new Keypair(envFilepath, privateKeyName).run()
-      }
-    }
-
-    return privateKey
-  }
 }
 
 module.exports = Run