### The Issue
Storing unencrypted passwords freaks me out.
Sure, you can add .env files to .gitignore to keep them out of your repo, but that leaves plenty of room for mistakes. I prefer avoiding even the possibility of exposing credentials. We can get one step closer to that by storing credential in password managers instead of plaintext files.
For example, here's a next.js serverless function that uses environmental variables in production but switches to using the macOS Keychain Access app (via the `security` command) in development.
The methodology is similar to the previous example. If a `SECRETS` environmental variable exists, it's used. Otherwise, a call is made to the Keychain Access password manager. The difference is that the value returned in either case is a string that gets loaded as an object via `eval()`. As with `execSync()`, any use of `eval()` with untrusted user input is an extreme security risk. As before, that's not in play because I'm hard coding everything myself. (If there's a security implication here I'm missing, please let me know.)
To use this method, set a value like this in your the `SECRETS` environmental variable in production and in your Keychan Access item locally:
An important point is that you'll need to keep everything on line there. Otherwise, the process will choke. (In theory, you could load an entire set of environmental variables this way, but it increases the risk profile to load secrets where they aren't needed.)
And that's it.
With a small amount of code we can keep our password out of unencrypted plaintext files and make it less likely that we leak credentials.
P.S. Other Password Manager (like 1Password) offer CLI tools but they tend to be all or nothing access. Once you provide permission, the entire set of passwords is open. With Keychain access on the Mac, each password has to be unlocked individually. It's a little more of a hassle, but I prefer the approach. Basically the idea of the [ principal of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege).