Environment mixing

What is environment mixing?

Environment mixing happens when you accidentally load secrets from the wrong environment. For example, you might load production secrets in a development environment, or vice versa. This can lead to serious security/application issues, and it's important to prevent it.

How Fatima helps

Fatima will require you to explicitly define a environment function in your env.config.ts file

export default config({
  environment: (processEnv) => processEnv.NODE_ENV,
});

When Fatima tries to load secrets, it uses the environment function to determine which environment to load variables from.

However, right after all secrets are loaded, Fatima injects them into process.env and runs the environment function again.

If for some reason the environment function returns a different environment than the one loaded, Fatima will throw an error.

By doing so we can add a double layer of security to make sure that the loaded secrets are from the same environment as the one we're asking them for, or vice-versa.

How you could mess up

1. Using WHATEVER_ENV=production fatima run in development

Few people will define a load.production function in config, that's because fatima run generally should not be used in production.

Production variables should be loaded in CI/CD pipelines, directly into the hosting machine process.env.

But if you actually defined load.production and you run the command described above, you will load production secrets into your local process. Not much to do here, Fatima can't help you with that.

As for the existance of the fatima run command, I've also questioned it, but it is nice for testing purposes.

2. Setting the wrong environments in your secret storage

Unfortunately, there's not much to do if you set your production database URL in your secret storage development environment. Fatima can't help you with that.