Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Environment variables #1

Open
blittle opened this issue Jun 29, 2022 · 5 comments
Open

Environment variables #1

blittle opened this issue Jun 29, 2022 · 5 comments

Comments

@blittle
Copy link
Collaborator

blittle commented Jun 29, 2022
edited
Loading

Motivation

Platforms are not consistent in how they provide access to environment variables. We'd like to define a consistent API for environment variable access.

Environment variables on existing platforms

Cloudflare

Environment variables are injected into a scoped variable. For example, an API_TOKEN environment variable would be available within the env param:

export default {
  fetch(request, env, context) {
    // env.API_TOKEN
  },
};

Reference: https://developers.cloudflare.com/workers/runtime-apis/fetch-event/#syntax-module-worker

Vercel

Environment variables are defined on process.env object. For example, an API_TOKEN environment variable would be available by process.env.API_TOKEN.

Reference: https://vercel.com/docs/concepts/functions/serverless-functions#environment-variables

Deno

Environment variables are retrieved through a global Deno.env object. For example, an API_TOKEN environment variable would be available by Deno.env.get('API_TOKEN')

Reference: https://doc.deno.land/deno/stable/~/Deno.env

NodeJS

Environment variables are defined on a global process.env object. For example, an API_TOKEN environment variable would be available by process.env.API_TOKEN.

Reference: https://nodejs.org/docs/latest/api/process.html#processenv

Shopify Oxygen

Environment variables are defined on a global Oxygen.env object. For example, an API_TOKEN environment variable would be available by Oxygen.env.API_TOKEN.

Reference: https://shopify.dev/custom-storefronts/oxygen/environment-variables

Options

Unify on one of the existing platform implementations

Which one?

import.meta

The import.meta object exposes context-specific metadata to a JavaScript module. We could utilize that container for environment variables, import.meta.env.API_TOKEN.

There is precedent to import.meta.env with Vite's implementation. The downside to this is that import.meta is only available in ES Modules.
@XadillaX
Copy link

Hourai.js (Winter @bytedance)

Environment variables are retrived through a global Hourai.process.env object, it like process.env in Node.js but mount in Hourai namespace.

Maybe not every platform supports import since Hourai.js is a single file runtime.

@SegaraRai
Copy link

FWIW Cloudflare Workers has another syntax called module workers, in which environment variables are passed as an argument to the handler function instead of being placed globally.

Reference: https://developers.cloudflare.com/workers/platform/environment-variables/#environmental-variables-with-module-workers, https://developers.cloudflare.com/workers/runtime-apis/fetch-event/#syntax-module-worker

@jimmywarting
Copy link

Something that scare me a little bit is that any sub dependency can get access to the enviorment variable that i'm using myself.
I'm not really sure why we even need .env file that needs to be parsed in a specific way and having to depend on some dotenv package to parse it, when we can just simply have a .env.js that exports a default object and simply import it like import config from './.env.js'? it dose not have to be more complicated than that...

any how you should not put secrets in process.env... here is why: https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/

heck why don't we even have a way to import secrets with á.la http import style:
import secrets from 'https://example.com/secrets.json' { cookie: xyz }

any way... i think putting things in import.meta could save some security issues. only my files would have this secret meta data and the lodash dependency wouldn't know anything about my own secrets.

they need to be sandboxed somehow. more secure & possible encrypted.

@blittle
Copy link
Collaborator Author

blittle commented Jul 11, 2022

@jimmywarting the concern makes sense. Though switching to a code import has downsides. An entirely new code deploy is necessary to change the vars (at least for single-file and bundled runtimes). That isn't desirable for all situations, where you want the same code artifact to behave differently depending on the "environment".

But maybe whether or not secrets defined in environment variables isn't to be solved here? They are needed, and the goal here is to have a standard way to access them.

@blittle blittle mentioned this issue Jul 14, 2022
Open
4 tasks
@benjaminsehl benjaminsehl mentioned this issue Jul 21, 2022
Closed
@stipsan stipsan mentioned this issue Aug 22, 2022
Open
@jplhomer jplhomer mentioned this issue Nov 18, 2022
Merged
@QuiiBz QuiiBz mentioned this issue Jan 24, 2023
Open
@legendecas legendecas mentioned this issue Mar 20, 2023
Closed
@xtuc
Copy link

xtuc commented Mar 20, 2023
edited
Loading

@blittle do you mind editing the Cloudflare example in the issue? The syntax you used is deprecated and https://developers.cloudflare.com/workers/runtime-apis/fetch-event/#syntax-module-worker (env.VAR_NAME) should be used instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jimmywarting @xtuc @blittle @XadillaX @SegaraRai