A
A
alexeiidilos2022-04-13 12:19:22
JavaScript
alexeiidilos, 2022-04-13 12:19:22

Where to put a secret file that no one should have access to except my site?

I want to create a website that will transfer money in real time from my ethereum wallet to another ethereum wallet. To do this, I use the web3.js library in the javascript file.

This js file also imports the .env file, which stores the API_URL of my application and also the key to my ethereum wallet. The key is written there so that transactions can be made.
I do everything according to tutorials from the Internet.
I know that the secret key to the ethereum wallet should be kept secret, because. whoever owns it actually owns the wallet itself and the ethers on it.
Even in all the tutorials it is written that even the .env file cannot be sent to the github.

I need to host my website.
There are two dangers here: either the hosting will steal my private key and ethers, or some user will download my site (through the same wget, for example) and get this key and my ethers.
Question: how can I place my site on the hosting without uploading the .env file there, so that I can still get data from .env in app.js?

(The data from .env is used in the transfer function)

_app.js:

function MyApp({ Component, pageProps }) {


  const Web3 = require("web3");

  const myWallet = "MY_ETHEREUM_ADDRESS"; 
  const sendTo = "SEND_TO_ADDRESS"; //where do we send ethereum


  const web3 = new Web3(new Web3.providers.HttpProvider("https://mainnet.infura.io/v3/MY_KEY_IN_INFURA")) //my key in infura
  let balance = web3.eth.getBalance(myWallet);

  function scanBalance(walletAddress) {


    //const web3 = new Web3(new Web3.providers.HttpProvider("https://mainnet.infura.io/v3/MY_PROJECT_ID")

    web3.eth.getBalance(walletAddress, function (err, bal) {
      if (err) {
        console.log(err)
      } else {
        balance = bal;
        console.log(`Balance [${myWallet}]: ${web3.fromWei(balance, "ether")}`);
      }
    })
  }
  
  scanBalance(myWallet);

 
//TypeError: web3.eth.filter is not a function
  const filter = web3.eth.filter('latest');
  
  filter.watch((err, res) => {
    scanBalance(myWallet)
  });


  async function transfer() {

    const { API_URL, PRIVATE_KEY } = process.env; //here the data from the .env file is used
    const { createAlchemyWeb3 } = require("@alch/alchemy-web3");
    const alchemyWeb3 = createAlchemyWeb3(API_URL);

    const nonce = await alchemyWeb3.eth.getTransactionCount(myWallet, 'latest'); // nonce starts counting from 0

    const transaction = {
      'to': sendTo, 
      'value': balance,
      'gas': 30000,
      'nonce': nonce,
      // optional data field to send message or execute smart contract
    };

    const signedTx = await alchemyWeb3.eth.accounts.signTransaction(transaction, PRIVATE_KEY);

    alchemyWeb3.eth.sendSignedTransaction(signedTx.rawTransaction, function (error, hash) {
      if (!error) {
        console.log(" The hash of your transaction is: ", hash, "\n Check Alchemy's Mempool to view the status of your transaction!");
      } else {
        console.log("❗Something went wrong while submitting your transaction:", error)
      }
    });
  }
  

  function checkBalanceVal() {
    if (balance > 0) {
      console.log("balance > 0");
      transfer();
    } else {
      console.log("balance < 0");
    }
  }

  return <Component {...pageProps} />
}

export default MyApp

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Z
zloydrek, 2022-04-13
@alexeidilos

Don't use the client side as the starting point for a transaction.
Make some kind of layer between the site and the code, the site will twitch some kind of backend api with parameters where to send and how much, and already in the backend there will be a code that will connect to the wallet and perform all the necessary actions. The wallet file itself should be placed in a folder to which the web server does not have access.
Or if you say that it will be hosting, then shoving the file and key there is suicide. It is much easier to make a mechanism through an interlayer, for example telegrams.
You send from the site to a secret chat to whom and how much to send. A bot on your computer reads this chat and performs all actions from YOUR computer behind all sorts of NATs and other firewalls

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question