From 934d06b512a3fc2d35f8b4b6e6fe3c8e1325385f Mon Sep 17 00:00:00 2001
From: lilia <liliakai@gmail.com>
Date: Thu, 13 Apr 2017 12:34:52 -0700
Subject: [PATCH] Override environment vars in production

Don't allow environment vars to muck with configs in production.

// FREEBIE
---
 main.js | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/main.js b/main.js
index 970f6e82b..2307bcd79 100644
--- a/main.js
+++ b/main.js
@@ -32,7 +32,28 @@ const environment = package_json.environment || process.env.NODE_ENV || 'develop
 // Set environment vars to configure node-config before requiring it
 process.env.NODE_ENV = environment;
 process.env.NODE_CONFIG_DIR = path.join(__dirname, 'config');
+if (environment === 'production') {
+  // harden production config against the local env
+  process.env.NODE_CONFIG = '';
+  process.env.NODE_CONFIG_STRICT_MODE = true;
+  process.env.HOSTNAME = '';
+  process.env.NODE_APP_INSTANCE = '';
+  process.env.ALLOW_CONFIG_MUTATIONS = '';
+  process.env.SUPPRESS_NO_CONFIG_WARNING = '';
+}
 const config = require('config');
+// Log resulting env vars in use by config
+[
+  'NODE_ENV',
+  'NODE_CONFIG_DIR',
+  'NODE_CONFIG',
+  'ALLOW_CONFIG_MUTATIONS',
+  'HOSTNAME',
+  'NODE_APP_INSTANCE',
+  'SUPPRESS_NO_CONFIG_WARNING'
+].forEach(function(s) {
+  console.log(s + ' ' + config.util.getEnv(s));
+});
 
 // use a separate data directory for development
 if (config.has('storageProfile')) {