PhilflowIO/tsdav

Feature: Init wizard should store credentials in .env file

Open

#23 opened on Nov 5, 2025

View on GitHub
 (0 comments) (0 reactions) (0 assignees)TypeScript (0 forks)auto 404
enhancementgood first issue

Repository metrics

Stars
 (0 stars)
PR merge metrics
 (PR metrics pending)

Description

Feature: Init wizard should store credentials in .env file

Problem

Currently, the init command creates a configuration file with credentials stored in plaintext:

{
  "source": {
    "credentials": {
      "username": "my-username",
      "password": "my-secret-password"
    }
  }
}

Issues with this approach:

  • ❌ Passwords visible in plaintext JSON files
  • ❌ Risk of accidentally committing credentials to version control
  • ❌ Not following industry best practices
  • ❌ Poor DX when sharing configs across teams

Proposed Solution

The init wizard should automatically create two files:

1. .env file (contains actual credentials)

SOURCE_USERNAME=my-username
SOURCE_PASSWORD=my-secret-password
TARGET_USERNAME=target-user
TARGET_PASSWORD=target-password

2. Config JSON (contains references)

{
  "source": {
    "credentials": {
      "username": "env:SOURCE_USERNAME",
      "password": "env:SOURCE_PASSWORD"
    }
  }
}

Implementation Details

Changes to init.ts:

  1. Collect credentials during wizard

    • Use inquirer with type: 'password' for hidden input
  2. Write to .env file

    const envContent = `
    # Source Provider Credentials
    SOURCE_USERNAME=${sourceUsername}
    SOURCE_PASSWORD=${sourcePassword}
    
    # Target Provider Credentials
    TARGET_USERNAME=${targetUsername}
    TARGET_PASSWORD=${targetPassword}
    `.trim();
    
    fs.writeFileSync('.env', envContent);
    
  3. Generate config with env references

    const config = {
      source: {
        credentials: {
          username: 'env:SOURCE_USERNAME',
          password: 'env:SOURCE_PASSWORD'
        }
      }
    };
    
  4. Update .gitignore

    • Add .env if not already present
    • Show warning to user
  5. Create .env.template

    # Copy this to .env and fill in your credentials
    SOURCE_USERNAME=
    SOURCE_PASSWORD=
    TARGET_USERNAME=
    TARGET_PASSWORD=
    

User Feedback:

✓ Configuration saved to: my-migration.json
✓ Credentials saved to: .env

⚠️  Important: Never commit .env to version control!
    The .env file has been added to .gitignore.

💡 Tip: Share .env.template with your team (without credentials)

Benefits

Security: Credentials never stored in JSON config ✅ Git-safe: .env automatically ignored ✅ Industry standard: Follows practices used by Next.js, Prisma, Supabase ✅ Team-friendly: Each developer has their own .envDX improvement: One-time credential entry

Examples from Other Tools

Next.js:

npx create-next-app
# Creates: .env.local

Prisma:

prisma init
# Creates: .env with DATABASE_URL

Supabase:

supabase init
# Creates: .env with API keys

Alternative Considered

Keep current behavior but add a --use-env flag:

dav-migrate init --use-env

However, this makes the secure approach opt-in rather than default, which is less ideal.

Suggested Labels

  • enhancement
  • security
  • cli
  • good first issue

Contributor guide