npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

envoix

v3.0.0

Published

Envoix is a collaborative tool to easily share, sync and manage environment variables between developers and teams.

Downloads

11

Readme

Envoix

Envoix is a command line tool that facilitates easy and secure sharing of Environment variables among developers and teams. It removes the overhead of sending env variables to each developer in your team personally over social media, and make sure that everyone is in sync, while not leaving your terminal.

Features

  1. easy user authentication
  2. easy setup (just one command)
  3. remote storage for all the variables
  4. Encrypted and Secure
  5. Add other users to the project
  6. Manage User Permissions (Push, Pull, Admin, Add_Users, Remove_Users)
  7. No hassles with GUI

Prerequisites

  • Nodejs (v18+)
  • npm

Getting started

  1. Install the npm package globally
    sudo npm i -g envoix
  1. Create new account or log in to previous account if you have one already
    envoix auth signup 

OR

    envoix auth login
  1. You are all set to start using envoix in your projects

Usage

Usage: envoix [options] [command]

envoix is CLI tool for providing easy and secure way to share environment
variables among teams and developers

Options:
  -h, --help      display help for command

Commands:
  auth            Authentication commands
  init            Initialize new environment
  list            Get all environments
  pull            Pull environment variables
  push            Push environment files to server
  delete          Delete environment
  user            Handle user permissions
  help [command]  display help for command

Auth

This command includes all the authentication related subcommands

  • Login: envoix auth login

    • email
    • password
  • Signup: envoix auth signup

    • name
    • email
    • password
  • Profile: envoix auth profile

  • Logout: envoix auth logout

User Permissions

  • This commands follows various subcommands for managing user permissions on the environment
  • The permissions allowed can be any combination of the following list of permissions:
    • pull: Read the current environment variables from the server
    • push: Change/Update the environment variables on the server
    • add_user: Add a new user with certain set of permissions
    • remove_user: Remove a user and their permissions
    • update_user: Update other user permissions
    • admin: All the above permissions + some extra ones
      • list all users with permission
      • delete the environment

Usage

  • Add User: envoix user add

  • Remove User: envoix user remove

    • email
  • Update User: envoix user update

    • email
    • permissions
  • List Users: envoix user list

Environment Settings

  • These are the core features of this library which provides functionality for managing environments
    • init: Create a new environment config
    • push: Push the current config to server
    • pull: Pull the changes from server
    • list: List all the environment created by current user
    • delete: Delete current environment

Usage

all the below subcommands requires user to confirm their password

  • Init: envoix init

    • Project name
    • env file's relative location
  • Push: envoix push

  • Pull: envoix pull

  • List: envoix list

  • Delete: envoix delete

Security

The biggest concern of a user is security. Envoix gaurantees that all the user data including:

  • password
  • environment variables are securly stored (encrypted or hashed) on the server.

Password

The user's password is the most important asset in securing other relevant data, so it should be stored securly.

  • User's password is not stored on server either in plain text or any other encrypted form
  • bcrypt is used to hash the password and store the resulting hash in db.

Environment Variables/data

Here comes the fun part,

It took me more days to securely store the env variables than coding all the other features

Okay, so what's the keyword here ?? Its key wrapping

Why key wrapping ?

let's analyze our requirements:

  1. Secure
  2. Encryption and Decryption by more than one user
  3. Not storing the key(encryption/decryption) on the server

Considering above requirements, we don't have a lot of options.

  1. RSA key pair / Asymmetric encryption

    • It can implemented here but it also comes with certain limitations
      • User can't move between devices(easily)
      • Need to store public keys for each device of user for each user
  2. Other symmetric encryptions (password sharing, pke challenges, etc)

    • Not suitable for this use case
  3. Key wrapping

Implementing Key wrapping algorithm

all the encryption is done using aes-256-cbc and all the hashing is done using sha-512 algorithms

  1. When a new environment is initialised, An encryption key called Master Encryption Key(MEK) is generated on the server

  2. MEK is used to encrypt/decrypt data using push/pull actions

  3. encrypt the MEK using user's plain-text password passed for verification during init action

  4. encrypted MEK(eMEK) or Key Encryption key(KEK) is stored in a table alongside user's permissions

  5. When a new user(X) is added by an User(Y) with admin or add_user privilages,

    - MEK = decrypt(KEK(Y), pass_Y)
    - KEK(X) = encrypt(MEK, otp)
    - store it alongside permissions of User(X)

Used otp to create kek(X) because we don't have pass_X

  1. During the first pull from the user_X, OTP is also asked and then KEK(X) is replaced by encrypt(MEK, pass_X)

  2. Afterwards, Each push/pull action is performed by derived MEK from User's KEK.

Proposed features

  • Multiple environments like prod, dev, etc in same config
  • storing env history

Self Hosting

The Envoix-server can be self hosted and it can be integrated inside this library. See the official repo at theanuragshukla/envoix-server for detailed instructions

Contributions

If you'd like to improve the functionality and security of this library, feel free to raise an issue and then we can work on that together. Also try working on the proposed features

FAQs

  1. Where is the server ??

    • As of now, I've hosted the server at https://envoix.anurags.tech and It should work fine for small userbase.
  2. Can it be self hosted ?

    • For private use or within an organisation, I'd suggest to self host. It'll be good for my small server and your special use case.