I’ve wrote a CLI app in educational purposes. It sends email in certain cases (notifying me). I’m using gmail package( https://github.com/SlyMarbo/gmail ) to send emails. This package requires app specific password which I got from my Google account settings (it looks like “dgfhjghfjklrtyhfghj” and I can’t change it and I can’t remember it). I put this password in config.json with other parameters.
App works fine. Problem is that password stored in plain text in config.json file and it is not secure.
What solution you would recommend for storing passwords which app needs to work?
If you aren’t storing the file in source control, what you are doing isn’t actually the worst thing in the world. The biggest factor here is making sure the passwords aren’t in source control, so make sure that config.json file is in your .gitignore and not in the repo.
Services like Heroku use ENV variables, which also work reasonably well, but at the end of the day they are very similar to just having a config.json file on your server - anyone with access to the server can access the data and read from it.
What you might want to do is encrypt the data and then decrypt it in your app, which would give you a little more security (but truthfully not a ton), or you could look at options like Vault (https://www.vaultproject.io/) by hashicorp.
