环境变量在使用Browserify时显示为未定义。

huangapple go评论72阅读模式
英文:

Env variables showing as undefined when using browserify

问题

我刚刚在我的系统上安装了Browserify,并成功地将我的脚本捆绑在一起,但当我调用我的环境变量时,我得到了undefined

我的文件结构:

MyProject
    dist
    node_modules
    src
        index.html
        index.js
        bundle.js
    .env
    package-lock.json
    package.json
    yarn.lock

index.html

<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet"/>
<script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.8/dist/umd/popper.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.min.js"></script>

<div class="d-flex align-items-center justify-content-center" id="record">
    <div class="input-group mb-3 input-group-lg w-50">
      <input type="text" class="form-control" id="rec-id" placeholder="Enter ID">
      <button class="btn btn-success" id="mybtn" type="button">Enter</button>
    </div>
</div>

<div class="d-flex align-items-center justify-content-center d-none" id="show-alert">
    <div class="alert alert-danger alert-dismissible fade show row">
      <button type="button" class="btn-close" data-bs-dismiss="alert"></button>
      <strong>Danger!</strong> Button was clicked
    </div>
  </div>

<script src="bundle.js"></script>

index.js

require("dotenv").config();
console.log(process.env.MY_TOKEN);

成功运行了browserify src/index.js -o src/bundle.js

.env

MY_TOKEN=qwer123456

当我运行我的代码时,控制台中显示undefined,而不是qwer123456

英文:

I just installed browserify on my system and am able to bundle my scripts but when I call my env variables I am getting undefined.

My file structure:

MyProject
    dist
    node_modules
    src
        index.html
        index.js
        bundle.js
    .env
    package-lock.json
    package.json
    yarn.lock

index.html

<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet"/>
<script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.8/dist/umd/popper.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.min.js"></script>

<div class="d-flex align-items-center justify-content-center" id="record">
    <div class="input-group mb-3 input-group-lg w-50">
      <input type="text" class="form-control" id="rec-id" placeholder="Enter ID">
      <button class="btn btn-success" id="mybtn" type="button">Enter</button>
    </div>
</div>

<div class="d-flex align-items-center justify-content-center d-none" id="show-alert">
    <div class="alert alert-danger alert-dismissible fade show row">
      <button type="button" class="btn-close" data-bs-dismiss="alert"></button>
      <strong>Danger!</strong> Button was clicked
    </div>
  </div>


<script src="bundle.js"></script>

index.js

require("dotenv").config();
console.log(process.env.MY_TOKEN);

Successfully ran browserify src/index.js -o src/bundle.js

.env

MY_TOKEN=qwer123456

When I run my code, I am getting undefined in my console instead of qwer123456.

答案1

得分: 1

Webpack(类似于Browserify的工具)有一个插件,可以将dotenv的数据暴露给捆绑后的代码。然而,你不应该这样做。

你在评论中说过:

>> 你的目标是仅将.env文件的内容保持不在Git存储库中,还是要隐藏它们不让使用你的网站的人看到?

> 我想要两者都实现

.env文件有两个目的:

  • 它使你能够在不同的环境中使用不同的值(例如,在生产、qa、开发等不同数据库时,数据库服务器的地址)。
  • 它允许你避免将凭据放入版本控制

它不能隐藏需要使用它的环境中的值。

为了让客户端JavaScript访问你的Slack授权令牌,你必须将Slack授权令牌提供给浏览器。浏览器完全由用户控制。如果你这样做,用户可以读取授权令牌,并使用该授权执行任何他们想要的Slack API操作。

要保密令牌,你需要在服务器端代码中使用它们,并通过API(例如可以通过Ajax访问的API)暴露客户端应具备的任何(有限的)功能,你可能应该使用你自己的身份验证和授权机制来保护它。

英文:

You can't do that.


Webpack (which does a similar job to Browserify) has a plugin that can expose dotenv data to bundled code. However, you do not want to do that.

You said, in a comment:

>> Is your goal just to keep the contents of the .env file out of your git repository or are you trying to keep them hidden from people using your website?

> I am trying to do both

A .env file serves two purposes:

  • It makes it easy for you to use different values in different environments (e.g. the address of a database server when you have different databases for production, qa, development, and so on).
  • It lets you avoid putting credentials into version control

It does not, and cannot, hide a value from the environment that needs to use it.

For your client-side JavaScript to access your Slack auth token, you have to give the Slack auth token to the browser. The browser is completely under the control of the user. If you do that then the user can read the auth token and do anything with the Slack API they like with that authorisation.

To keep the tokens secret you need to use them in server-side code and expose any (limited) functionality the client should have over an API (e.g. one that can be accessed via Ajax) which you should probably secure with your own AuthN/AuthZ.

答案2

得分: 0

尝试使用 dotenv.parse() 解析 .env 文件的内容:

const dotenv = require('dotenv'),
      fs = require('fs');

const buf = fs.readFileSync('./.env');
const envVars = dotenv.parse(buf);
console.log(envVars.MY_TOKEN);
英文:

Try to parse content of the .env file by using dotenv.parse():

const dotenv = require('dotenv'),
          fs = require('fs');

const buf = fs.readFileSync('./.env');
const envVars = dotenv.parse(buf);
console.log(envVars.MY_TOKEN);

huangapple
  • 本文由 发表于 2023年7月13日 23:59:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/76681334.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定