Feature: Init wizard should store credentials in .env file
#23 geöffnet am 5. Nov. 2025
Repository-Metriken
- Stars
- (0 Stars)
- PR-Merge-Metriken
- (PR-Metriken ausstehend)
Beschreibung
Feature: Init wizard should store credentials in .env file
Problem
Currently, the init command creates a configuration file with credentials stored in plaintext:
{
"source": {
"credentials": {
"username": "my-username",
"password": "my-secret-password"
}
}
}
Issues with this approach:
- ❌ Passwords visible in plaintext JSON files
- ❌ Risk of accidentally committing credentials to version control
- ❌ Not following industry best practices
- ❌ Poor DX when sharing configs across teams
Proposed Solution
The init wizard should automatically create two files:
1. .env file (contains actual credentials)
SOURCE_USERNAME=my-username
SOURCE_PASSWORD=my-secret-password
TARGET_USERNAME=target-user
TARGET_PASSWORD=target-password
2. Config JSON (contains references)
{
"source": {
"credentials": {
"username": "env:SOURCE_USERNAME",
"password": "env:SOURCE_PASSWORD"
}
}
}
Implementation Details
Changes to init.ts:
-
Collect credentials during wizard
- Use
inquirerwithtype: 'password'for hidden input
- Use
-
Write to
.envfileconst envContent = ` # Source Provider Credentials SOURCE_USERNAME=${sourceUsername} SOURCE_PASSWORD=${sourcePassword} # Target Provider Credentials TARGET_USERNAME=${targetUsername} TARGET_PASSWORD=${targetPassword} `.trim(); fs.writeFileSync('.env', envContent); -
Generate config with env references
const config = { source: { credentials: { username: 'env:SOURCE_USERNAME', password: 'env:SOURCE_PASSWORD' } } }; -
Update
.gitignore- Add
.envif not already present - Show warning to user
- Add
-
Create
.env.template# Copy this to .env and fill in your credentials SOURCE_USERNAME= SOURCE_PASSWORD= TARGET_USERNAME= TARGET_PASSWORD=
User Feedback:
✓ Configuration saved to: my-migration.json
✓ Credentials saved to: .env
⚠️ Important: Never commit .env to version control!
The .env file has been added to .gitignore.
💡 Tip: Share .env.template with your team (without credentials)
Benefits
✅ Security: Credentials never stored in JSON config
✅ Git-safe: .env automatically ignored
✅ Industry standard: Follows practices used by Next.js, Prisma, Supabase
✅ Team-friendly: Each developer has their own .env
✅ DX improvement: One-time credential entry
Examples from Other Tools
Next.js:
npx create-next-app
# Creates: .env.local
Prisma:
prisma init
# Creates: .env with DATABASE_URL
Supabase:
supabase init
# Creates: .env with API keys
Alternative Considered
Keep current behavior but add a --use-env flag:
dav-migrate init --use-env
However, this makes the secure approach opt-in rather than default, which is less ideal.
Suggested Labels
enhancementsecuritycligood first issue