How to make config.json remain permanently visible on editor


#1

its quite bothersome to constantly going to console to edit changes so are there anyway to fix that?

i know that config.json get hidden by default because gitignored but that to prevent discord bot tokens from being leaked.
isnt there anyway for the igitignored files to remain visible in editor?


#2

Move your secrets from config.json to .env file. (It is ignored, but shown to contributors):

echo "BOT_TOKEN=secret" >> .env

Make sure there are no secrets in the config.json and remove it from .gitignore.
In the code get access to the token via the process.env:

const token = process.env.BOT_TOKEN

#3

not an ideal situation since sensitive info is insecure to be stored in env vars. i was hoping for a more simpler solution to have the files being visible in editor by option to enable “hidden” files

vars are exposed to the entire process which include third party dependencies for any software that matters. storing sensitive info in there means also 3rd party dependencies can take advantage of it


#4

You want to say that these 3rd party deps do not have access to config.json?


#5

most 3rd party packages have 3rd party packages of their own, and those have their own and so on. So if some developer of even one of those 3rd party packages in the chain decides to grab all the variables stored in the env. no one would easily able to know that and voila, they are compromised.

All credentials are now with that malicious attacker and they can do whatever the hell they want with it.


#6

Yes, but why are you sure that such a malicious package will not be able to read your config.json?


#7

Hi @maidos, @Chilace has a valid point; any package running in the Node.JS process (as all of your npm packages do) will have access to anything the Node process can access, including your hidden config.json file - “hiding” it only hides from the file list and the git repo; not from Node.

There’s extra infrastructure around the .env that gives it special meaning in Glitch, among which is the fact that its contents are:

  1. visible to the editor (including to collaborators)
  2. hidden from git / Rewind
  3. only keys are copied on remix; not values

All in all, .env is the most Glitch-y (and most correct, in the context of Glitch) place to store your secrets. I’m afraid there is no workaround to the behavior that hides .gitignored files from the editor, and we have no specific plans to change that.


#8

it is available to all packages. But they can’t access the credentials unless it’s explicitly passed to them or the 3rd party packages know exactly where it is stored, unlike env vars - which every package can access directly.


#9

Malicious software does not wait for credentials to be passed to it, it is looking for them.
So storing unencrypted credentials in the config file is no more secure than in the environment


#10

Hey @maidos in the long run of course it’s up to you how you store your secrets. Putting them in config.json and gitignoring that file has the consequence of not being able to edit the file in the editor, so you’ll have to decide if that’s a worthwhile tradeoff for you.

Happy Glitching!