Background
Thank you for this useful tool. We've been using node-convict in our production app for awhile. Recently, we tried creating a custom format via addFormat, private-key-pem that as implied by its name,
- Takes a private key pem string (from an environment variable
PRIVATE_KEY) and coerce it into node.js's KeyObject
convict.addFormats({
'private-key-pem': {
validate: (val: unknown) => {
// ... validation logic
},
coerce: function (val: string): KeyObject {
return createPrivateKey(val)
},
},
- If the
PRIVATE_KEY environment variable is not found, it defaults to a dummy unuseable private key as per follow
{
doc: 'Test Key (Secret)',
format: 'private-key-pem',
default: createPrivateKey(UNUSEABLE_PRIVATE_KEY),
env: 'PRIVATE_KEY',
}
Problem
Briefly glancing through convict package's main.js, I understand that convict uses lodash's cloneDeep to (1) return a deep clone of the config upon config.get and (2) deep clone default-able values in addDefaultValues. This is problematic for us as cloneDeep refuses to clone KeyObjects or CryptoKeys.
Assumption
I made a simple assumption that the original intent of using cloneDeep was to prevent possible mutations on the underlying config instance. ex.
const testStringArray = config.get('some.config')
testStringArray.push('something') // don't want original value at 'some.config' to be mutated!
Proposal
I propose that we add handling of KeyObjects instances by cloning KeyObjects with an explicitexport and createPrivateKey. A simplified example for illustration would be as below (which should be sufficient for cloning private keys that aren't encrypted with a passphase)
const clonedKeyObj = createPrivateKey(originalKeyObj.export({ type : 'pkcs8', format : 'pem' }) // Simplified example
Background
Thank you for this useful tool. We've been using
node-convictin our production app for awhile. Recently, we tried creating a customformatviaaddFormat,private-key-pemthat as implied by its name,PRIVATE_KEY) andcoerceit into node.js's KeyObjectPRIVATE_KEYenvironment variable is not found, itdefaults to a dummy unuseable private key as per followProblem
Briefly glancing through
convictpackage'smain.js, I understand thatconvictuses lodash'scloneDeepto (1) return a deep clone of the config uponconfig.getand (2) deep clonedefault-able values inaddDefaultValues. This is problematic for us ascloneDeeprefuses to cloneKeyObjects orCryptoKeys.Assumption
I made a simple assumption that the original intent of using
cloneDeepwas to prevent possible mutations on the underlying config instance. ex.Proposal
I propose that we add handling of
KeyObjects instances by cloningKeyObjects with an explicitexportandcreatePrivateKey. A simplified example for illustration would be as below (which should be sufficient for cloning private keys that aren't encrypted with a passphase)