@dotenvx/dotenvx 1.55.0 → 1.56.0

package/src/lib/helpers/envResolution/determine.js

@@ -0,0 +1,46 @@
+const dotenvPrivateKeyNames = require('./../dotenvPrivateKeyNames')
+const guessPrivateKeyFilename = require('./../guessPrivateKeyFilename')
+
+const TYPE_ENV_FILE = 'envFile'
+const DEFAULT_ENVS = [{ type: TYPE_ENV_FILE, value: '.env' }]
+
+function envsFromDotenvPrivateKey (privateKeyNames) {
+  const envs = []
+
+  for (const privateKeyName of privateKeyNames) {
+    const filename = guessPrivateKeyFilename(privateKeyName)
+    envs.push({ type: TYPE_ENV_FILE, value: filename })
+  }
+
+  return envs
+}
+
+function determine (envs = [], processEnv) {
+  const privateKeyNames = dotenvPrivateKeyNames(processEnv)
+  if (!envs || envs.length <= 0) {
+    // if process.env.DOTENV_PRIVATE_KEY or process.env.DOTENV_PRIVATE_KEY_${environment} is set, assume inline encryption methodology
+    if (privateKeyNames.length > 0) {
+      return envsFromDotenvPrivateKey(privateKeyNames)
+    }
+
+    return DEFAULT_ENVS // default to .env file expectation
+  } else {
+    let fileAlreadySpecified = false
+
+    for (const env of envs) {
+      if (env.type === TYPE_ENV_FILE) {
+        fileAlreadySpecified = true
+      }
+    }
+
+    // return early since envs array objects already contain 1 .env file
+    if (fileAlreadySpecified) {
+      return envs
+    }
+
+    // no .env file specified as a flag so default to .env
+    return [...DEFAULT_ENVS, ...envs]
+  }
+}
+
+module.exports = determine

package/src/lib/helpers/{guessEnvironment.js → envResolution/environment.js}

@@ -1,7 +1,7 @@
 const path = require('path')
 
-function guessEnvironment (filepath) {
-  const filename = path.basename(filepath)
+function environment (filepath) {
+  const filename = path.basename(filepath).toLowerCase()
 
   const parts = filename.split('.')
   const possibleEnvironmentList = [...parts.slice(2)]
@@ -17,13 +17,11 @@ function guessEnvironment (filepath) {
     return possibleEnvironmentList[0]
   }
 
-  if (
-    possibleEnvironmentList.length === 2
-  ) {
+  if (possibleEnvironmentList.length === 2) {
     return possibleEnvironmentList.join('_')
   }
 
   return possibleEnvironmentList.slice(0, 2).join('_')
 }
 
-module.exports = guessEnvironment
+module.exports = environment

package/src/lib/helpers/envResolution/index.js

@@ -0,0 +1,8 @@
+module.exports = {
+  buildEnvs: require('./../buildEnvs'),
+  determine: require('./determine'),
+  findEnvFiles: require('./../findEnvFiles'),
+  dotenvOptionPaths: require('./../dotenvOptionPaths'),
+  environment: require('./environment'),
+  conventions: require('./../conventions')
+}

package/src/lib/helpers/errors.js

@@ -8,6 +8,8 @@ class Errors {
     this.key = options.key
     this.privateKey = options.privateKey
     this.privateKeyName = options.privateKeyName
+    this.publicKey = options.publicKey
+    this.publicKeyExisting = options.publicKeyExisting
     this.command = options.command
 
     this.message = options.message
@@ -55,6 +57,17 @@ class Errors {
     return e
   }
 
+  mispairedPrivateKey () {
+    const code = 'MISPAIRED_PRIVATE_KEY'
+    const message = `[${code}] private key's derived public key (${truncate(this.publicKey)}) does not match the existing public key (${truncate(this.publicKeyExisting)})`
+    const help = `[${code}] https://github.com/dotenvx/dotenvx/issues/752`
+
+    const e = new Error(message)
+    e.code = code
+    e.help = help
+    return e
+  }
+
   looksWrongPrivateKey () {
     const code = 'WRONG_PRIVATE_KEY'
     const message = `[${code}] could not decrypt ${this.key} using private key '${this.privateKeyName}=${truncate(this.privateKey)}'`

package/src/lib/helpers/findEnvFiles.js

@@ -1,6 +1,6 @@
 const fsx = require('./fsx')
 
-const RESERVED_ENV_FILES = ['.env.vault', '.env.project', '.env.keys', '.env.me', '.env.x', '.env.example']
+const RESERVED_ENV_FILES = ['.env.project', '.env.keys', '.env.me', '.env.x', '.env.example']
 
 function findEnvFiles (directory) {
   try {

package/src/lib/helpers/isFullyEncrypted.js

@@ -1,6 +1,6 @@
 const dotenvParse = require('./dotenvParse')
-const isEncrypted = require('./isEncrypted')
-const isPublicKey = require('./isPublicKey')
+const isEncrypted = require('./cryptography/isEncrypted')
+const isPublicKey = require('./cryptography/isPublicKey')
 
 function isFullyEncrypted (src) {
   const parsed = dotenvParse(src, false, false, true) // collect all values
@@ -14,7 +14,7 @@ function isFullyEncrypted (src) {
     //
     // key => [value1, ...]
     for (const value of values) {
-      const result = isEncrypted(value) || isPublicKey(key, value)
+      const result = isEncrypted(value) || isPublicKey(key)
       if (!result) {
         return false
       }

package/src/lib/helpers/keyResolution/index.js

@@ -0,0 +1,13 @@
+module.exports = {
+  keyNames: require('./keyNames'),
+  keyValues: require('./keyValues'),
+
+  // private
+  // private keys are resolved via keyValues()
+
+  // other
+  readProcessKey: require('./readProcessKey'),
+  readFileKey: require('./readFileKey'),
+  guessPrivateKeyFilename: require('./../guessPrivateKeyFilename'),
+  dotenvPrivateKeyNames: require('./../dotenvPrivateKeyNames')
+}

package/src/lib/helpers/keyResolution/keyNames.js

@@ -0,0 +1,24 @@
+const path = require('path')
+const environment = require('./../envResolution/environment')
+
+function keyNames (filepath) {
+  const filename = path.basename(filepath).toLowerCase()
+
+  // .env
+  if (filename === '.env') {
+    return {
+      publicKeyName: 'DOTENV_PUBLIC_KEY',
+      privateKeyName: 'DOTENV_PRIVATE_KEY'
+    }
+  }
+
+  // .env.ENVIRONMENT
+  const resolvedEnvironment = environment(filename).toUpperCase()
+
+  return {
+    publicKeyName: `DOTENV_PUBLIC_KEY_${resolvedEnvironment}`,
+    privateKeyName: `DOTENV_PRIVATE_KEY_${resolvedEnvironment}`
+  }
+}
+
+module.exports = keyNames

package/src/lib/helpers/keyResolution/keyValues.js

@@ -0,0 +1,85 @@
+const path = require('path')
+
+const fsx = require('./../fsx')
+const dotenvParse = require('./../dotenvParse')
+const keyNames = require('./keyNames')
+const readProcessKey = require('./readProcessKey')
+const readFileKey = require('./readFileKey')
+const opsKeypair = require('../cryptography/opsKeypair')
+
+function invertForPrivateKeyName (filepath) {
+  const PUBLIC_KEY_SCHEMA = 'DOTENV_PUBLIC_KEY'
+  const PRIVATE_KEY_SCHEMA = 'DOTENV_PRIVATE_KEY'
+
+  if (!fsx.existsSync(filepath)) {
+    return null
+  }
+
+  const envSrc = fsx.readFileX(filepath)
+  const envParsed = dotenvParse(envSrc)
+
+  let publicKeyName
+  for (const keyName of Object.keys(envParsed)) {
+    if (keyName === PUBLIC_KEY_SCHEMA || keyName.startsWith(PUBLIC_KEY_SCHEMA)) {
+      publicKeyName = keyName // find DOTENV_PUBLIC_KEY* in filename
+    }
+  }
+
+  if (publicKeyName) {
+    return publicKeyName.replace(PUBLIC_KEY_SCHEMA, PRIVATE_KEY_SCHEMA) // return inverted (DOTENV_PUBLIC_KEY* -> DOTENV_PRIVATE_KEY*) if found
+  }
+
+  return null
+}
+
+function keyValues (filepath, opts = {}) {
+  let keysFilepath = opts.keysFilepath || null
+  const opsOn = opts.opsOn === true
+  const names = keyNames(filepath)
+  const publicKeyName = names.publicKeyName // DOTENV_PUBLIC_KEY_${ENVIRONMENT}
+  let privateKeyName = names.privateKeyName // DOTENV_PRIVATE_KEY_${ENVIRONMENT}
+
+  let publicKey = null
+  let privateKey = null
+
+  // public key: process.env first, then .env*
+  publicKey = readProcessKey(publicKeyName)
+  if (!publicKey) {
+    publicKey = readFileKey(publicKeyName, filepath) || null
+  }
+
+  // private key: process.env first, then .env.keys, then invert public key
+  privateKey = readProcessKey(privateKeyName)
+  if (!privateKey) {
+    if (keysFilepath) { // user specified -fk flag
+      keysFilepath = path.resolve(keysFilepath)
+    } else {
+      keysFilepath = path.resolve(path.dirname(filepath), '.env.keys') // typical scenario
+    }
+
+    privateKey = readFileKey(privateKeyName, keysFilepath)
+  }
+  // invert
+  if (!privateKey) {
+    privateKeyName = invertForPrivateKeyName(filepath)
+    if (privateKeyName) {
+      privateKey = readProcessKey(privateKeyName)
+      if (!privateKey) {
+        privateKey = readFileKey(privateKeyName, keysFilepath)
+      }
+    }
+  }
+
+  // ops
+  if (opsOn && !privateKey && publicKey && publicKey.length > 0) {
+    const kp = opsKeypair(publicKey)
+    privateKey = kp.privateKey
+  }
+
+  return {
+    publicKeyValue: publicKey || null, // important to make sure name is rendered
+    privateKeyValue: privateKey || null // importan to make sure name is rendered
+  }
+}
+
+module.exports = keyValues

package/src/lib/helpers/keyResolution/readFileKey.js

@@ -0,0 +1,15 @@
+const fsx = require('./../fsx')
+const dotenvParse = require('./../dotenvParse')
+
+function readFileKey (keyName, filepath) {
+  if (fsx.existsSync(filepath)) {
+    const src = fsx.readFileX(filepath)
+    const parsed = dotenvParse(src)
+
+    if (parsed[keyName] && parsed[keyName].length > 0) {
+      return parsed[keyName]
+    }
+  }
+}
+
+module.exports = readFileKey

package/src/lib/helpers/keyResolution/readProcessKey.js

@@ -0,0 +1,7 @@
+function readProcessKey (keyName) {
+  if (process.env[keyName] && process.env[keyName].length > 0) {
+    return process.env[keyName]
+  }
+}
+
+module.exports = readProcessKey

package/src/lib/helpers/parse.js

@@ -1,4 +1,4 @@
-const decryptKeyValue = require('./decryptKeyValue')
+const decryptKeyValue = require('./cryptography/decryptKeyValue')
 const evalKeyValue = require('./evalKeyValue')
 const resolveEscapeSequences = require('./resolveEscapeSequences')
 

package/src/lib/helpers/prependPublicKey.js

@@ -0,0 +1,17 @@
+function prependPublicKey (publicKeyName, publicKey, filename, relativeFilepath = '.env.keys') {
+  const comment = relativeFilepath === '.env.keys'
+    ? ''
+    : ` # -fk ${relativeFilepath}`
+
+  return [
+    '#/-------------------[DOTENV_PUBLIC_KEY]--------------------/',
+    '#/            public-key encryption for .env files          /',
+    '#/       [how it works](https://dotenvx.com/encryption)     /',
+    '#/----------------------------------------------------------/',
+    `${publicKeyName}="${publicKey}"${comment}`,
+    '',
+    `# ${filename}`
+  ].join('\n')
+}
+
+module.exports = prependPublicKey

package/src/lib/helpers/preserveShebang.js

@@ -0,0 +1,16 @@
+function preserveShebang (envSrc) {
+  const [firstLine, ...remainingLines] = envSrc.split('\n')
+  let firstLinePreserved = ''
+
+  if (firstLine.startsWith('#!')) {
+    firstLinePreserved = firstLine + '\n'
+    envSrc = remainingLines.join('\n')
+  }
+
+  return {
+    firstLinePreserved,
+    envSrc
+  }
+}
+
+module.exports = preserveShebang

package/src/lib/main.d.ts

@@ -113,10 +113,10 @@ export interface DotenvConfigOptions {
   envKeysFile?: string;
 
   /**
-   * Pass the DOTENV_KEY directly to config options. Defaults to looking for process.env.DOTENV_KEY environment variable. Note this only applies to decrypting .env.vault files. If passed as null or undefined, or not passed at all, dotenv falls back to its traditional job of parsing a .env file.
+   * Legacy option retained for compatibility.
    *
    * @default undefined
-   * @example require('@dotenvx/dotenvx').config({ DOTENV_KEY: 'dotenv://:key_1234…@dotenvx.com/vault/.env.vault?environment=production' })
+   * @example require('@dotenvx/dotenvx').config({ DOTENV_KEY: 'dotenv://:key_1234…' })
    */
   DOTENV_KEY?: string;
 
@@ -166,7 +166,7 @@ export interface DotenvPopulateInput {
 }
 
 /**
- * Loads `.env` file contents into process.env by default. If `DOTENV_KEY` is present, it smartly attempts to load encrypted `.env.vault` file contents into process.env.
+ * Loads `.env` file contents into process.env by default.
  *
  * @see https://dotenvx.com/docs
  *
@@ -205,6 +205,14 @@ export interface SetOptions {
    * @example require('@dotenvx/dotenvx').config(key, value, { encrypt: false } })
    */
   encrypt?: boolean;
+
+  /**
+   * Turn off Dotenvx Ops features - https://dotenvx.com/ops
+   *
+   * @default false
+   * @example require('@dotenvx/dotenvx').set(key, value, { opsOff: true })
+   */
+  opsOff?: boolean;
 }
 
 export type SetProcessedEnv = {
@@ -272,6 +280,14 @@ export interface GetOptions {
    * @example require('@dotenvx/dotenvx').get('KEY', { strict: true })
    */
   strict?: boolean;
+
+  /**
+   * Turn off Dotenvx Ops features - https://dotenvx.com/ops
+   *
+   * @default false
+   * @example require('@dotenvx/dotenvx').get('KEY', { opsOff: true })
+   */
+  opsOff?: boolean;
 }
 
 /**

package/src/lib/main.js

@@ -39,12 +39,6 @@ const config = function (options = {}) {
   // envKeysFile
   const envKeysFile = options.envKeysFile
 
-  // DOTENV_KEY (DEPRECATED)
-  let DOTENV_KEY = process.env.DOTENV_KEY
-  if (options && options.DOTENV_KEY) {
-    DOTENV_KEY = options.DOTENV_KEY
-  }
-
   // dotenvx-ops related
   const opsOn = options.opsOff !== true
 
@@ -55,12 +49,12 @@ const config = function (options = {}) {
   }
 
   try {
-    const envs = buildEnvs(options, DOTENV_KEY)
+    const envs = buildEnvs(options)
     const {
       processedEnvs,
       readableFilepaths,
       uniqueInjectedKeys
-    } = new Run(envs, overload, DOTENV_KEY, processEnv, envKeysFile, opsOn).run()
+    } = new Run(envs, overload, processEnv, envKeysFile, opsOn).run()
 
     if (opsOn) {
       // removed radar feature for now. contact me at mot@dotenvx.com if still needed for your organization.
@@ -71,11 +65,6 @@ const config = function (options = {}) {
     /** @type {Record<string, string>} */
     const parsedAll = {}
     for (const processedEnv of processedEnvs) {
-      if (processedEnv.type === 'envVaultFile') {
-        logger.verbose(`loading env from encrypted ${processedEnv.filepath} (${path.resolve(processedEnv.filepath)})`)
-        logger.debug(`decrypting encrypted env from ${processedEnv.filepath} (${path.resolve(processedEnv.filepath)})`)
-      }
-
       if (processedEnv.type === 'envFile') {
         logger.verbose(`loading env from ${processedEnv.filepath} (${path.resolve(processedEnv.filepath)})`)
       }
@@ -192,12 +181,13 @@ const set = function (key, value, options = {}) {
 
   const envs = buildEnvs(options)
   const envKeysFilepath = options.envKeysFile
+  const opsOn = options.opsOff !== true
 
   const {
     processedEnvs,
     changedFilepaths,
     unchangedFilepaths
-  } = new Sets(key, value, envs, encrypt, envKeysFilepath).run()
+  } = new Sets(key, value, envs, encrypt, envKeysFilepath, opsOn).run()
 
   let withEncryption = ''
 
@@ -257,11 +247,12 @@ const set = function (key, value, options = {}) {
 /* @type {import('./main').get} */
 const get = function (key, options = {}) {
   const envs = buildEnvs(options)
+  const opsOn = options.opsOff !== true
 
   // ignore
   const ignore = options.ignore || []
 
-  const { parsed, errors } = new Get(key, envs, options.overload, process.env.DOTENV_KEY, options.all, options.envKeysFile).run()
+  const { parsed, errors } = new Get(key, envs, options.overload, options.all, options.envKeysFile, opsOn).run()
 
   for (const error of errors || []) {
     if (ignore.includes(error.code)) {
@@ -317,8 +308,9 @@ const genexample = function (directory, envFile) {
 }
 
 /** @type {import('./main').keypair} */
-const keypair = function (envFile, key, envKeysFile = null) {
-  const keypairs = new Keypair(envFile, envKeysFile).run()
+const keypair = function (envFile, key, envKeysFile = null, opsOff = false) {
+  const opsOn = opsOff !== true
+  const keypairs = new Keypair(envFile, envKeysFile, opsOn).run()
   if (key) {
     return keypairs[key]
   } else {

package/src/lib/services/decrypt.js

@@ -5,19 +5,28 @@ const picomatch = require('picomatch')
 const TYPE_ENV_FILE = 'envFile'
 
 const Errors = require('./../helpers/errors')
-const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
-const { findPrivateKey } = require('./../helpers/findPrivateKey')
-const findPublicKey = require('./../helpers/findPublicKey')
-const decryptKeyValue = require('./../helpers/decryptKeyValue')
-const isEncrypted = require('./../helpers/isEncrypted')
-const dotenvParse = require('./../helpers/dotenvParse')
+
+const {
+  determine
+} = require('./../helpers/envResolution')
+
+const {
+  keyNames,
+  keyValues
+} = require('./../helpers/keyResolution')
+
+const {
+  decryptKeyValue,
+  isEncrypted
+} = require('./../helpers/cryptography')
+
 const replace = require('./../helpers/replace')
+const dotenvParse = require('./../helpers/dotenvParse')
 const detectEncoding = require('./../helpers/detectEncoding')
-const determineEnvs = require('./../helpers/determineEnvs')
 
 class Decrypt {
-  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, opsOn = true) {
-    this.envs = determineEnvs(envs, process.env)
+  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, opsOn = false) {
+    this.envs = determine(envs, process.env)
     this.key = key
     this.excludeKey = excludeKey
     this.envKeysFilepath = envKeysFilepath
@@ -63,15 +72,14 @@ class Decrypt {
     row.envFilepath = envFilepath
 
     try {
-      const encoding = this._detectEncoding(filepath)
+      const encoding = detectEncoding(filepath)
       let envSrc = fsx.readFileX(filepath, { encoding })
       const envParsed = dotenvParse(envSrc)
 
-      const publicKey = findPublicKey(envFilepath)
-      const privateKey = findPrivateKey(envFilepath, this.envKeysFilepath, this.opsOn, publicKey)
-      const privateKeyName = guessPrivateKeyName(envFilepath)
+      const { privateKeyName } = keyNames(envFilepath)
+      const { privateKeyValue } = keyValues(envFilepath, { keysFilepath: this.envKeysFilepath, opsOn: this.opsOn })
 
-      row.privateKey = privateKey
+      row.privateKey = privateKeyValue
       row.privateKeyName = privateKeyName
       row.changed = false // track possible changes
 
@@ -90,7 +98,7 @@ class Decrypt {
         if (encrypted) {
           row.keys.push(key) // track key(s)
 
-          const decryptedValue = decryptKeyValue(key, value, privateKeyName, privateKey)
+          const decryptedValue = decryptKeyValue(key, value, privateKeyName, privateKeyValue)
           // once newSrc is built write it out
           envSrc = replace(envSrc, key, decryptedValue)
 
@@ -130,10 +138,6 @@ class Decrypt {
 
     return this.excludeKey
   }
-
-  _detectEncoding (filepath) {
-    return detectEncoding(filepath)
-  }
 }
 
 module.exports = Decrypt