npm - @dotenvx/dotenvx - Versions diffs - 1.55.1 → 1.57.0 - Mend

@dotenvx/dotenvx 1.55.1 → 1.57.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/CHANGELOG.md +18 -1
package/README.md +43 -45
package/package.json +3 -3
package/src/cli/actions/decrypt.js +2 -2
package/src/cli/actions/encrypt.js +10 -14
package/src/cli/actions/ext/genexample.js +3 -2
package/src/cli/actions/ext/gitignore.js +2 -2
package/src/cli/actions/get.js +4 -2
package/src/cli/actions/keypair.js +3 -2
package/src/cli/actions/rotate.js +19 -21
package/src/cli/actions/run.js +1 -14
package/src/cli/actions/set.js +16 -16
package/src/cli/commands/ext.js +0 -3
package/src/cli/dotenvx.js +29 -25
package/src/cli/examples.js +2 -2
package/src/db/session.js +21 -0
package/src/lib/extensions/ops.js +98 -0
package/src/lib/helpers/buildEnvs.js +2 -15
package/src/lib/helpers/{decryptKeyValue.js → cryptography/decryptKeyValue.js} +1 -1
package/src/lib/helpers/cryptography/index.js +14 -0
package/src/lib/helpers/{isPublicKey.js → cryptography/isPublicKey.js} +1 -1
package/src/lib/helpers/{keypair.js → cryptography/localKeypair.js} +2 -2
package/src/lib/helpers/cryptography/mutateKeysSrc.js +38 -0
package/src/lib/helpers/cryptography/mutateSrc.js +24 -0
package/src/lib/helpers/cryptography/opsKeypair.js +14 -0
package/src/lib/helpers/cryptography/provision.js +47 -0
package/src/lib/helpers/cryptography/provisionWithPrivateKey.js +26 -0
package/src/lib/helpers/envResolution/determine.js +46 -0
package/src/lib/helpers/{guessEnvironment.js → envResolution/environment.js} +4 -6
package/src/lib/helpers/envResolution/index.js +8 -0
package/src/lib/helpers/errors.js +13 -0
package/src/lib/helpers/executeDynamic.js +11 -14
package/src/lib/helpers/findEnvFiles.js +1 -1
package/src/lib/helpers/isFullyEncrypted.js +3 -3
package/src/lib/helpers/keyResolution/index.js +13 -0
package/src/lib/helpers/keyResolution/keyNames.js +24 -0
package/src/lib/helpers/keyResolution/keyValues.js +85 -0
package/src/lib/helpers/keyResolution/readFileKey.js +15 -0
package/src/lib/helpers/keyResolution/readProcessKey.js +7 -0
package/src/lib/helpers/localDisplayPath.js +11 -0
package/src/lib/helpers/parse.js +1 -1
package/src/lib/helpers/prependPublicKey.js +17 -0
package/src/lib/helpers/preserveShebang.js +16 -0
package/src/lib/main.d.ts +19 -3
package/src/lib/main.js +23 -32
package/src/lib/services/decrypt.js +23 -19
package/src/lib/services/encrypt.js +41 -136
package/src/lib/services/get.js +3 -3
package/src/lib/services/keypair.js +12 -16
package/src/lib/services/prebuild.js +2 -2
package/src/lib/services/precommit.js +2 -2
package/src/lib/services/rotate.js +59 -42
package/src/lib/services/run.js +29 -112
package/src/lib/services/sets.js +40 -124
package/src/shared/colors.js +10 -0
package/src/shared/logger.js +4 -3
package/src/lib/helpers/decrypt.js +0 -31
package/src/lib/helpers/deprecationNotice.js +0 -17
package/src/lib/helpers/determineEnvs.js +0 -65
package/src/lib/helpers/encrypt.js +0 -29
package/src/lib/helpers/findPrivateKey.js +0 -25
package/src/lib/helpers/findPublicKey.js +0 -15
package/src/lib/helpers/guessPrivateKeyName.js +0 -18
package/src/lib/helpers/guessPublicKeyName.js +0 -18
package/src/lib/helpers/parseEncryptionKeyFromDotenvKey.js +0 -19
package/src/lib/helpers/parseEnvironmentFromDotenvKey.js +0 -19
package/src/lib/helpers/smartDotenvPrivateKey.js +0 -89
package/src/lib/helpers/smartDotenvPublicKey.js +0 -42
package/src/lib/services/ops.js +0 -136
/package/src/lib/helpers/{encryptValue.js → cryptography/encryptValue.js} +0 -0
/package/src/lib/helpers/{isEncrypted.js → cryptography/isEncrypted.js} +0 -0

package/src/lib/helpers/isFullyEncrypted.js CHANGED Viewed

@@ -1,6 +1,6 @@
 const dotenvParse = require('./dotenvParse')
-const isEncrypted = require('./isEncrypted')
-const isPublicKey = require('./isPublicKey')
+const isEncrypted = require('./cryptography/isEncrypted')
+const isPublicKey = require('./cryptography/isPublicKey')
 function isFullyEncrypted (src) {
   const parsed = dotenvParse(src, false, false, true) // collect all values
@@ -14,7 +14,7 @@ function isFullyEncrypted (src) {
     //
     // key => [value1, ...]
     for (const value of values) {
-      const result = isEncrypted(value) || isPublicKey(key, value)
+      const result = isEncrypted(value) || isPublicKey(key)
       if (!result) {
         return false
       }

package/src/lib/helpers/keyResolution/index.js ADDED Viewed

@@ -0,0 +1,13 @@
+module.exports = {
+  keyNames: require('./keyNames'),
+  keyValues: require('./keyValues'),
+  // private
+  // private keys are resolved via keyValues()
+  // other
+  readProcessKey: require('./readProcessKey'),
+  readFileKey: require('./readFileKey'),
+  guessPrivateKeyFilename: require('./../guessPrivateKeyFilename'),
+  dotenvPrivateKeyNames: require('./../dotenvPrivateKeyNames')
+}

package/src/lib/helpers/keyResolution/keyNames.js ADDED Viewed

@@ -0,0 +1,24 @@
+const path = require('path')
+const environment = require('./../envResolution/environment')
+function keyNames (filepath) {
+  const filename = path.basename(filepath).toLowerCase()
+  // .env
+  if (filename === '.env') {
+    return {
+      publicKeyName: 'DOTENV_PUBLIC_KEY',
+      privateKeyName: 'DOTENV_PRIVATE_KEY'
+    }
+  }
+  // .env.ENVIRONMENT
+  const resolvedEnvironment = environment(filename).toUpperCase()
+  return {
+    publicKeyName: `DOTENV_PUBLIC_KEY_${resolvedEnvironment}`,
+    privateKeyName: `DOTENV_PRIVATE_KEY_${resolvedEnvironment}`
+  }
+}
+module.exports = keyNames

package/src/lib/helpers/keyResolution/keyValues.js ADDED Viewed

@@ -0,0 +1,85 @@
+const path = require('path')
+const fsx = require('./../fsx')
+const dotenvParse = require('./../dotenvParse')
+const keyNames = require('./keyNames')
+const readProcessKey = require('./readProcessKey')
+const readFileKey = require('./readFileKey')
+const opsKeypair = require('../cryptography/opsKeypair')
+function invertForPrivateKeyName (filepath) {
+  const PUBLIC_KEY_SCHEMA = 'DOTENV_PUBLIC_KEY'
+  const PRIVATE_KEY_SCHEMA = 'DOTENV_PRIVATE_KEY'
+  if (!fsx.existsSync(filepath)) {
+    return null
+  }
+  const envSrc = fsx.readFileX(filepath)
+  const envParsed = dotenvParse(envSrc)
+  let publicKeyName
+  for (const keyName of Object.keys(envParsed)) {
+    if (keyName === PUBLIC_KEY_SCHEMA || keyName.startsWith(PUBLIC_KEY_SCHEMA)) {
+      publicKeyName = keyName // find DOTENV_PUBLIC_KEY* in filename
+    }
+  }
+  if (publicKeyName) {
+    return publicKeyName.replace(PUBLIC_KEY_SCHEMA, PRIVATE_KEY_SCHEMA) // return inverted (DOTENV_PUBLIC_KEY* -> DOTENV_PRIVATE_KEY*) if found
+  }
+  return null
+}
+function keyValues (filepath, opts = {}) {
+  let keysFilepath = opts.keysFilepath || null
+  const opsOn = opts.opsOn === true
+  const names = keyNames(filepath)
+  const publicKeyName = names.publicKeyName // DOTENV_PUBLIC_KEY_${ENVIRONMENT}
+  let privateKeyName = names.privateKeyName // DOTENV_PRIVATE_KEY_${ENVIRONMENT}
+  let publicKey = null
+  let privateKey = null
+  // public key: process.env first, then .env*
+  publicKey = readProcessKey(publicKeyName)
+  if (!publicKey) {
+    publicKey = readFileKey(publicKeyName, filepath) || null
+  }
+  // private key: process.env first, then .env.keys, then invert public key
+  privateKey = readProcessKey(privateKeyName)
+  if (!privateKey) {
+    if (keysFilepath) { // user specified -fk flag
+      keysFilepath = path.resolve(keysFilepath)
+    } else {
+      keysFilepath = path.resolve(path.dirname(filepath), '.env.keys') // typical scenario
+    }
+    privateKey = readFileKey(privateKeyName, keysFilepath)
+  }
+  // invert
+  if (!privateKey) {
+    privateKeyName = invertForPrivateKeyName(filepath)
+    if (privateKeyName) {
+      privateKey = readProcessKey(privateKeyName)
+      if (!privateKey) {
+        privateKey = readFileKey(privateKeyName, keysFilepath)
+      }
+    }
+  }
+  // ops
+  if (opsOn && !privateKey && publicKey && publicKey.length > 0) {
+    const kp = opsKeypair(publicKey)
+    privateKey = kp.privateKey
+  }
+  return {
+    publicKeyValue: publicKey || null, // important to make sure name is rendered
+    privateKeyValue: privateKey || null // importan to make sure name is rendered
+  }
+}
+module.exports = keyValues

package/src/lib/helpers/keyResolution/readFileKey.js ADDED Viewed

@@ -0,0 +1,15 @@
+const fsx = require('./../fsx')
+const dotenvParse = require('./../dotenvParse')
+function readFileKey (keyName, filepath) {
+  if (fsx.existsSync(filepath)) {
+    const src = fsx.readFileX(filepath)
+    const parsed = dotenvParse(src)
+    if (parsed[keyName] && parsed[keyName].length > 0) {
+      return parsed[keyName]
+    }
+  }
+}
+module.exports = readFileKey

package/src/lib/helpers/keyResolution/readProcessKey.js ADDED Viewed

@@ -0,0 +1,7 @@
+function readProcessKey (keyName) {
+  if (process.env[keyName] && process.env[keyName].length > 0) {
+    return process.env[keyName]
+  }
+}
+module.exports = readProcessKey

package/src/lib/helpers/localDisplayPath.js ADDED Viewed

@@ -0,0 +1,11 @@
+const path = require('path')
+function localDisplayPath (filepath) {
+  if (!filepath) return '.env.keys'
+  if (!path.isAbsolute(filepath)) return filepath
+  const relative = path.relative(process.cwd(), filepath)
+  return relative || path.basename(filepath)
+}
+module.exports = localDisplayPath

package/src/lib/helpers/parse.js CHANGED Viewed

@@ -1,4 +1,4 @@
-const decryptKeyValue = require('./decryptKeyValue')
+const decryptKeyValue = require('./cryptography/decryptKeyValue')
 const evalKeyValue = require('./evalKeyValue')
 const resolveEscapeSequences = require('./resolveEscapeSequences')

package/src/lib/helpers/prependPublicKey.js ADDED Viewed

@@ -0,0 +1,17 @@
+function prependPublicKey (publicKeyName, publicKey, filename, relativeFilepath = '.env.keys') {
+  const comment = relativeFilepath === '.env.keys'
+    ? ''
+    : ` # -fk ${relativeFilepath}`
+  return [
+    '#/-------------------[DOTENV_PUBLIC_KEY]--------------------/',
+    '#/            public-key encryption for .env files          /',
+    '#/       [how it works](https://dotenvx.com/encryption)     /',
+    '#/----------------------------------------------------------/',
+    `${publicKeyName}="${publicKey}"${comment}`,
+    '',
+    `# ${filename}`
+  ].join('\n')
+}
+module.exports = prependPublicKey

package/src/lib/helpers/preserveShebang.js ADDED Viewed

@@ -0,0 +1,16 @@
+function preserveShebang (envSrc) {
+  const [firstLine, ...remainingLines] = envSrc.split('\n')
+  let firstLinePreserved = ''
+  if (firstLine.startsWith('#!')) {
+    firstLinePreserved = firstLine + '\n'
+    envSrc = remainingLines.join('\n')
+  }
+  return {
+    firstLinePreserved,
+    envSrc
+  }
+}
+module.exports = preserveShebang

package/src/lib/main.d.ts CHANGED Viewed

@@ -113,10 +113,10 @@ export interface DotenvConfigOptions {
   envKeysFile?: string;
   /**
-   * Pass the DOTENV_KEY directly to config options. Defaults to looking for process.env.DOTENV_KEY environment variable. Note this only applies to decrypting .env.vault files. If passed as null or undefined, or not passed at all, dotenv falls back to its traditional job of parsing a .env file.
+   * Legacy option retained for compatibility.
    *
    * @default undefined
-   * @example require('@dotenvx/dotenvx').config({ DOTENV_KEY: 'dotenv://:key_1234…@dotenvx.com/vault/.env.vault?environment=production' })
+   * @example require('@dotenvx/dotenvx').config({ DOTENV_KEY: 'dotenv://:key_1234…' })
    */
   DOTENV_KEY?: string;
@@ -166,7 +166,7 @@ export interface DotenvPopulateInput {
 }
 /**
- * Loads `.env` file contents into process.env by default. If `DOTENV_KEY` is present, it smartly attempts to load encrypted `.env.vault` file contents into process.env.
+ * Loads `.env` file contents into process.env by default.
  *
  * @see https://dotenvx.com/docs
  *
@@ -205,6 +205,14 @@ export interface SetOptions {
    * @example require('@dotenvx/dotenvx').config(key, value, { encrypt: false } })
    */
   encrypt?: boolean;
+  /**
+   * Turn off Dotenvx Ops features - https://dotenvx.com/ops
+   *
+   * @default false
+   * @example require('@dotenvx/dotenvx').set(key, value, { opsOff: true })
+   */
+  opsOff?: boolean;
 }
 export type SetProcessedEnv = {
@@ -272,6 +280,14 @@ export interface GetOptions {
    * @example require('@dotenvx/dotenvx').get('KEY', { strict: true })
    */
   strict?: boolean;
+  /**
+   * Turn off Dotenvx Ops features - https://dotenvx.com/ops
+   *
+   * @default false
+   * @example require('@dotenvx/dotenvx').get('KEY', { opsOff: true })
+   */
+  opsOff?: boolean;
 }
 /**

package/src/lib/main.js CHANGED Viewed

@@ -17,7 +17,7 @@ const Genexample = require('./services/genexample')
 const buildEnvs = require('./helpers/buildEnvs')
 const Parse = require('./helpers/parse')
 const fsx = require('./helpers/fsx')
-const isIgnoringDotenvKeys = require('./helpers/isIgnoringDotenvKeys')
+const localDisplayPath = require('./helpers/localDisplayPath')
 /** @type {import('./main').config} */
 const config = function (options = {}) {
@@ -39,12 +39,6 @@ const config = function (options = {}) {
   // envKeysFile
   const envKeysFile = options.envKeysFile
-  // DOTENV_KEY (DEPRECATED)
-  let DOTENV_KEY = process.env.DOTENV_KEY
-  if (options && options.DOTENV_KEY) {
-    DOTENV_KEY = options.DOTENV_KEY
-  }
   // dotenvx-ops related
   const opsOn = options.opsOff !== true
@@ -55,12 +49,12 @@ const config = function (options = {}) {
   }
   try {
-    const envs = buildEnvs(options, DOTENV_KEY)
+    const envs = buildEnvs(options)
     const {
       processedEnvs,
       readableFilepaths,
       uniqueInjectedKeys
-    } = new Run(envs, overload, DOTENV_KEY, processEnv, envKeysFile, opsOn).run()
+    } = new Run(envs, overload, processEnv, envKeysFile, opsOn).run()
     if (opsOn) {
       // removed radar feature for now. contact me at mot@dotenvx.com if still needed for your organization.
@@ -71,11 +65,6 @@ const config = function (options = {}) {
     /** @type {Record<string, string>} */
     const parsedAll = {}
     for (const processedEnv of processedEnvs) {
-      if (processedEnv.type === 'envVaultFile') {
-        logger.verbose(`loading env from encrypted ${processedEnv.filepath} (${path.resolve(processedEnv.filepath)})`)
-        logger.debug(`decrypting encrypted env from ${processedEnv.filepath} (${path.resolve(processedEnv.filepath)})`)
-      }
       if (processedEnv.type === 'envFile') {
         logger.verbose(`loading env from ${processedEnv.filepath} (${path.resolve(processedEnv.filepath)})`)
       }
@@ -192,12 +181,13 @@ const set = function (key, value, options = {}) {
   const envs = buildEnvs(options)
   const envKeysFilepath = options.envKeysFile
+  const opsOn = options.opsOff !== true
   const {
     processedEnvs,
     changedFilepaths,
     unchangedFilepaths
-  } = new Sets(key, value, envs, encrypt, envKeysFilepath).run()
+  } = new Sets(key, value, envs, encrypt, envKeysFilepath, opsOn).run()
   let withEncryption = ''
@@ -226,26 +216,25 @@ const set = function (key, value, options = {}) {
     }
   }
+  const keyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.privateKeyAdded)
+  const keyAddedSuffix = keyAddedEnv ? ` + key (${localDisplayPath(keyAddedEnv.envKeysFilepath)})` : ''
   if (changedFilepaths.length > 0) {
-    logger.success(`✔ set ${key}${withEncryption} (${changedFilepaths.join(',')})`)
+    if (encrypt) {
+      logger.success(`◈ encrypted ${key} (${changedFilepaths.join(',')})${keyAddedSuffix}`)
+    } else {
+      logger.success(`◇ set ${key} (${changedFilepaths.join(',')})`)
+    }
+  } else if (encrypt && keyAddedEnv) {
+    const keyAddedEnvFilepath = keyAddedEnv.envFilepath || changedFilepaths[0] || '.env'
+    logger.success(`◈ encrypted ${key} (${keyAddedEnvFilepath})${keyAddedSuffix}`)
   } else if (unchangedFilepaths.length > 0) {
-    logger.info(`no changes (${unchangedFilepaths})`)
+    logger.info(`○ no changes (${unchangedFilepaths})`)
   } else {
     // do nothing
   }
-  for (const processedEnv of processedEnvs) {
-    if (processedEnv.privateKeyAdded) {
-      logger.success(`✔ key added to ${processedEnv.envKeysFilepath} (${processedEnv.privateKeyName})`)
-      // logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
-      if (!isIgnoringDotenvKeys()) {
-        logger.help('⮕  next run: [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys')
-      }
-      logger.help(`⮕  next run: [${processedEnv.privateKeyName}='${processedEnv.privateKey}' dotenvx get ${key}] to test decryption locally`)
-    }
-  }
+  // intentionally quiet: success line communicates key creation
   return {
     processedEnvs,
@@ -257,11 +246,12 @@ const set = function (key, value, options = {}) {
 /* @type {import('./main').get} */
 const get = function (key, options = {}) {
   const envs = buildEnvs(options)
+  const opsOn = options.opsOff !== true
   // ignore
   const ignore = options.ignore || []
-  const { parsed, errors } = new Get(key, envs, options.overload, process.env.DOTENV_KEY, options.all, options.envKeysFile).run()
+  const { parsed, errors } = new Get(key, envs, options.overload, options.all, options.envKeysFile, opsOn).run()
   for (const error of errors || []) {
     if (ignore.includes(error.code)) {
@@ -317,8 +307,9 @@ const genexample = function (directory, envFile) {
 }
 /** @type {import('./main').keypair} */
-const keypair = function (envFile, key, envKeysFile = null) {
-  const keypairs = new Keypair(envFile, envKeysFile).run()
+const keypair = function (envFile, key, envKeysFile = null, opsOff = false) {
+  const opsOn = opsOff !== true
+  const keypairs = new Keypair(envFile, envKeysFile, opsOn).run()
   if (key) {
     return keypairs[key]
   } else {

package/src/lib/services/decrypt.js CHANGED Viewed

@@ -5,19 +5,28 @@ const picomatch = require('picomatch')
 const TYPE_ENV_FILE = 'envFile'
 const Errors = require('./../helpers/errors')
-const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
-const { findPrivateKey } = require('./../helpers/findPrivateKey')
-const findPublicKey = require('./../helpers/findPublicKey')
-const decryptKeyValue = require('./../helpers/decryptKeyValue')
-const isEncrypted = require('./../helpers/isEncrypted')
-const dotenvParse = require('./../helpers/dotenvParse')
+const {
+  determine
+} = require('./../helpers/envResolution')
+const {
+  keyNames,
+  keyValues
+} = require('./../helpers/keyResolution')
+const {
+  decryptKeyValue,
+  isEncrypted
+} = require('./../helpers/cryptography')
 const replace = require('./../helpers/replace')
+const dotenvParse = require('./../helpers/dotenvParse')
 const detectEncoding = require('./../helpers/detectEncoding')
-const determineEnvs = require('./../helpers/determineEnvs')
 class Decrypt {
-  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, opsOn = true) {
-    this.envs = determineEnvs(envs, process.env)
+  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, opsOn = false) {
+    this.envs = determine(envs, process.env)
     this.key = key
     this.excludeKey = excludeKey
     this.envKeysFilepath = envKeysFilepath
@@ -63,15 +72,14 @@ class Decrypt {
     row.envFilepath = envFilepath
     try {
-      const encoding = this._detectEncoding(filepath)
+      const encoding = detectEncoding(filepath)
       let envSrc = fsx.readFileX(filepath, { encoding })
       const envParsed = dotenvParse(envSrc)
-      const publicKey = findPublicKey(envFilepath)
-      const privateKey = findPrivateKey(envFilepath, this.envKeysFilepath, this.opsOn, publicKey)
-      const privateKeyName = guessPrivateKeyName(envFilepath)
+      const { privateKeyName } = keyNames(envFilepath)
+      const { privateKeyValue } = keyValues(envFilepath, { keysFilepath: this.envKeysFilepath, opsOn: this.opsOn })
-      row.privateKey = privateKey
+      row.privateKey = privateKeyValue
       row.privateKeyName = privateKeyName
       row.changed = false // track possible changes
@@ -90,7 +98,7 @@ class Decrypt {
         if (encrypted) {
           row.keys.push(key) // track key(s)
-          const decryptedValue = decryptKeyValue(key, value, privateKeyName, privateKey)
+          const decryptedValue = decryptKeyValue(key, value, privateKeyName, privateKeyValue)
           // once newSrc is built write it out
           envSrc = replace(envSrc, key, decryptedValue)
@@ -130,10 +138,6 @@ class Decrypt {
     return this.excludeKey
   }
-  _detectEncoding (filepath) {
-    return detectEncoding(filepath)
-  }
 }
 module.exports = Decrypt