Home > Software design >  Is it "secure" to store a password and username in a .env file in a server to validate an
Is it "secure" to store a password and username in a .env file in a server to validate an

Time:01-18

Context

I've build a RESTful API server in Actix-Web with Rust that's hosted on a Heroku paid plan. It has n amount of publicly available endpoints to access content, alongside 3 strictly admin-only endpoints (for creating, editing, and deleting public content).

I am the only developer who'd ever need to access the admin-only endpoints - and infrequently at that. Several random users will be using the publicly available endpoints daily.

Normally, I'd implement an authentication/authorization strategy akin to this using JWTs (but obviously in Rust for my case). However, the added complexity that comes with this "more common" solution seems overkill for my simple use-case.

My theorized solution

Could I add a username and password field to the .env file in my project like so in order to match against a username and password passed in the admin-only handler functions?

... OTHER KEYS ...
USERNAME = my_really_long_random_username
PASSWORD = my_really_long_random_password

At first glance I'm storing passwords in plain text... but, there's only 1 and it's in my .env file, which is private by default.

All I'd do for the admin-only routes then is this (pseudo-code):

pub fn router_handler(passed_data) -> HttpResponse {
    if passed_data.username == env.username && passed_data.password == env.password {
        // CONSIDER THEM ADMIN
    } else {
        // BLOCK THEM AS THEY'RE NOT AUTHENTICATED
    }
}

What I've tried

I have yet to try this strategy, but I'm curious about your opinions on it.

Question

Is my theorized solution secure? Does it seem reasonable given my use-case?


Response to question: jthulhu - is this what I do?

So, my .env file should look something like this:

... OTHER KEYS ...
USERNAME = a98ysnrn938qwyanr9c8yQden 
PASSWORD = aosdf83h282huciquhr8291h91 

where both of those hashes are the results of running my pre-determined username and password through my to_hash function which I added below (likely using a lib like this).

Then, my handler should be like this (psuedo-code):

pub fn router_handler(passed_data) -> HttpResponse {
    if to_hash(passed_data.username) == env.username && to_hash(passed_data.password) == env.password {
        // CONSIDER THEM ADMIN
    } else {
        // BLOCK THEM AS THEY'RE NOT AUTHENTICATED
    }
}

CodePudding user response:

You should never store passwords in plain text in a server, because if someones breaks in your server, and can read that file, they now have access to everything (whereas they might previously not). Not only that, but most people tend to reuse passwords, so storing one password in plain text means exposing several services where that password is used.

Instead, you should hash the passwords and store the hash. To perform a login, check if the hash of the given password corresponds to the one stored. This mechanism can be used with files or with databases alike, and is pretty much independent on how you actually store the hashes.

  • Related