Implement Database Config in Env variables

[clsource]

Short description of the enhancement

In order to Processwire be more friendly to different deploys (dev, staging, production)
it will help to separate the information stored in site/config.php to ENV variables.

Optional: Steps that explain the enhancement

1. Instead of writing the values to config.php write to the .htaccess file
2. config.php will read those values using http://php.net/manual/en/function.getenv.php

Current vs. suggested behavior

Current behaviour is storing the database connection and other important info
in the config.php file.

Suggested behavior is storing those values in the .htaccess and reading them
with ENV functions.

Why would the enhancement be useful to users?

The main argument is here https://12factor.net/config

Env vars are easy to change between deploys without changing any code; unlike config files, there is little chance of them being checked into the code repo accidentally; and unlike custom config files, or other config mechanisms such as Java System Properties, they are a language- and OS-agnostic standard.

In a twelve-factor app, env vars are granular controls, each fully orthogonal to other env vars. They are never grouped together as “environments”, but instead are independently managed for each deploy. This is a model that scales up smoothly as the app naturally expands into more deploys over its lifetime.

Optional: Screenshots/Links that demonstrate the enhancement

Values that should be stored in env files
should be

/**
 * Installer: Database Configuration
 * 
 */
$config->dbHost = getenv('PW_DB_HOST');
$config->dbName = getenv('PW_DB_PORT');
$config->dbUser = getenv('PW_DB_USER');
$config->dbPass = getenv('PW_DB_PASSWORD');
$config->dbPort = getenv('PW_DB_PORT');
$config->dbCharset = getenv('PW_DB_CHARSET');

/**
 * Installer: User Authentication Salt 
 * 
 * Must be retained if you migrate your site from one server to another
 * 
 */
$config->userAuthSalt = getenv('PW_AUTH_SALT');

Using a virtual host

<VirtualHost hostname:80>
  ...
  SetEnv PW_DB_HOST localhost
  SetEnv PW_DB_PORT 3306
  SetEnv PW_DB_NAME mydatabase
  SetEnv PW_DB_USER pw_user
  SetEnv PW_DB_PASSWORD pw_pass
  SetEnv PW_DB_CHARSET utf8mb4
  
  SetEnv PW_AUTH_SALT c21280cf997a07b29132f3eb82893c54 
  ...
</VirtualHost>

Or htaccess

  SetEnv PW_DB_HOST localhost
  SetEnv PW_DB_PORT 3306
  SetEnv PW_DB_NAME mydatabase
  SetEnv PW_DB_USER pw_user
  SetEnv PW_DB_PASSWORD pw_pass
  SetEnv PW_DB_CHARSET utf8mb4
  
  SetEnv PW_AUTH_SALT c21280cf997a07b29132f3eb82893c54 

This behaviour could be implemented as an optional step in installation. Letting the user chose to save the config values in the config.php file or the .htaccess file. Beign storing in the config.php the default option.

[LostKobrakai]

I'm not sure why processwire should implement that, when you can easily add that on your own. Not everyone is using 12 factor apps and there are various other ways of having environment specific settings like for example importing a config-env.php, which is not automatically deployed.

[ethanbeyer]

I ran into this problem myself, but I am with @LostKobrakai: I don't think this needs to be in core.

Currently I handle these issues in a DRY way with the following config.php:

<?php

if(!defined("PROCESSWIRE")) die();

/**
 * Server Character Encoding Fix
 */
setlocale(LC_ALL,'en_US.UTF-8');

/*** SITE CONFIG *************************************************************************/

/**
 * Environment-Specific Configs
 *
 * These should not be tracked in a resulting repository.
 */
require_once("env.php");

/**
 * Template Pre/Append
 */
$config->prependTemplateFile    = '__init.php';
$config->appendTemplateFile     = '_foot.php';

// ...

Then of course I have a env.php file that is not tracked in any repository:

<?php

$config->debug = true;

/**
 * Environment Name
 */
$config->env = 'dev';

/**
 * Installer: Database Configuration
 * 
 */
$config->dbHost = 'localhost';
$config->dbName = 'database';
$config->dbUser = 'user';
$config->dbPass = 'pass';
$config->dbPort = '3306';

$config->httpHosts = array('mysite.dev');

$config->enableStatcounter = false;

// anything else

[ryancramerdesign]

Another way you can do it is like this:

if($_SERVER['HTTP_HOST'] === 'localhost') {
  // settings for local dev server
} else {
  // settings for production server
}

Of course it'd be fine to use an $_ENV (or getenv) instead of the $_SERVER http_host if you preferred. Yet another alternative is to maintain separate /site/config.php and /site/config-dev.php files. When the config-dev.php file is present, it will be used instead of config.php. So you would only keep a copy of that on your dev server (and not on your production server).

[mikerockett]

Whilst I use dotenv in my PW sites, I do actually prefer the config-dev method… Might switch to it. :-)

[clsource]

I think this is better to leave to personal choice then 👍
thanks for your answers and insights

[gmclelland]

Interesting read about safely storing secrets https://blog.fortrabbit.com/how-to-keep-a-secret