BitGo · tylerlevine · Jan 11, 2019 · Jan 8, 2019 · Jan 8, 2019 · Jan 10, 2019
@@ -24,7 +24,7 @@ We recommend using `nvm`, the [Node Version Manager](https://github.com/creation
 
 # Full Documentation
 
-View our [Javascript SDK Documentation](https://www.bitgo.com/api/?javascript#authentication).
+View our [Javascript SDK Documentation](https://www.bitgo.com/api/v2).
 
 # Example Usage
 
@@ -79,7 +79,7 @@ wallet.sendCoins({
 ```
 
 ## More examples
-Further demos and examples can be found in the [example](example/) directory and [documented here](https://www.bitgo.com/api/?javascript#examples).
+Further demos and examples can be found in the [example](example/) directory and [documented here](https://www.bitgo.com/api/v2/?javascript#examples).
 
 # BitGo Express Local Signing Server (REST API)
 
@@ -90,6 +90,8 @@ This ensures your keys never leave your network, and are not seen by BitGo. BitG
 
 `bin/bitgo-express [-h] [-v] [-p PORT] [-b BIND] [-e ENV] [-d] [-l LOGFILEPATH] [-k KEYPATH] [-c CRTPATH]`
 
+**Note:** When running against the BitGo production environment, you must run node in a production configuration as well. You can do that by running `export NODE_ENV=production` prior to starting bitgo-express.
+
 For a full tutorial of how to install, authenticate, and use Bitgo Express, see the [Bitgo Express Quickstart](https://platform.bitgo.com/bitgo-express/)
 
 # Usage in Browser

@@ -15,7 +15,14 @@ class TlsConfigurationError extends BitGoJsError {
   }
 }
 
+class NodeEnvironmentError extends BitGoJsError {
+  constructor(message) {
+    super(message || 'NODE_ENV is invalid for the current bitgo environment');
+  }
+}
+
 module.exports = {
   BitGoJsError,
-  TlsConfigurationError
+  TlsConfigurationError,
+  NodeEnvironmentError
 };
@@ -15,7 +15,7 @@ const { SSL_OP_NO_TLSv1 } = require('constants');
 
 const common = require('./common');
 const pjson = require('../package.json');
-const { TlsConfigurationError } = require('./errors');
+const { TlsConfigurationError, NodeEnvironmentError } = require('./errors');
 
 const BITGOEXPRESS_USER_AGENT = 'BitGoExpress/' + pjson.version;
 
@@ -26,7 +26,7 @@ const BITGOEXPRESS_USER_AGENT = 'BitGoExpress/' + pjson.version;
  * @return {*}
  */
 function validateArgs(args) {
-  const { env, bind, disablessl, crtpath, keypath } = args;
+  const { env, bind, disablessl, crtpath, keypath, disableenvcheck } = args;
   const needsTLS = env === 'prod' && bind !== 'localhost' && !disablessl;
 
   if (needsTLS && !(keypath && crtpath)) {
@@ -37,6 +37,14 @@ function validateArgs(args) {
     throw new TlsConfigurationError('Must provide both keypath and crtpath when running in TLS mode!');
   }
 
+  if (env === 'prod' && process.env.NODE_ENV !== 'production') {
+    if (!disableenvcheck) {
+      throw new NodeEnvironmentError('NODE_ENV should be set to production when running against prod environment. Use --disableenvcheck if you really want to run in a non-production node configuration.');
+    } else {
+      console.warn(`warning: unsafe NODE_ENV '${process.env.NODE_ENV}'. NODE_ENV must be set to 'production' when running against BitGo production environment.`);
+    }
+  }
+
   return args;
 }
 
@@ -220,6 +228,12 @@ module.exports.parseArgs = function() {
     help: 'disable the proxy, not routing any non-express routes'
   });
 
+  parser.addArgument(['--disableenvcheck'], {
+    action: 'storeTrue',
+    defaultValue: true, // BG-9584: temporarily disable env check while we give users time to react to change in runtime behavior
+    help: 'disable checking for proper NODE_ENV when running in prod environment'
+  });
+
   return parser.parseArgs();
 };
 

@@ -15,7 +15,7 @@ const httpProxy = require('http-proxy');
 const { Environments } = require('../../../src/common');
 const co = require('bluebird').coroutine;
 const { SSL_OP_NO_TLSv1 } = require('constants');
-const { TlsConfigurationError } = require('../../../src/errors');
+const { TlsConfigurationError, NodeEnvironmentError } = require('../../../src/errors');
 
 nock.disableNetConnect();
 
@@ -29,10 +29,45 @@ const {
 describe('Bitgo Express', function() {
 
   describe('server initialization', function() {
+
+    it('should require NODE_ENV to be production when running against prod env', function() {
+      const envStub = sinon.stub(process, 'env').value({ NODE_ENV: 'production' });
+
+      try {
+        (() => expressApp({
+          env: 'prod',
+          bind: 'localhost'
+        })).should.not.throw();
+
+        process.env.NODE_ENV = 'dev';
+        (() => expressApp({
+          env: 'prod',
+          bind: 'localhost'
+        })).should.throw(NodeEnvironmentError);
+      } finally {
+        envStub.restore();
+      }
+    });
+
+    it('should disable NODE_ENV check if disableenvcheck argument is given', function() {
+      const envStub = sinon.stub(process, 'env').value({ NODE_ENV: 'dev' });
+
+      try {
+        (() => expressApp({
+          env: 'prod',
+          bind: 'localhost',
+          disableenvcheck: true
+        })).should.not.throw();
+      } finally {
+        envStub.restore();
+      }
+    });
+
     it('should require TLS for prod env when listening on external interfaces', function() {
       const args = {
         env: 'prod',
-        bind: '1'
+        bind: '1',
+        disableenvcheck: true
       };
 
       (() => expressApp(args)).should.throw(TlsConfigurationError);
@@ -55,6 +90,7 @@ describe('Bitgo Express', function() {
       delete args.crtpath;
       args.keypath = '/tmp/key.pem';
       (() => expressApp(args)).should.throw(TlsConfigurationError);
+
     });
 
     it('should require both keypath and crtpath when using TLS, but TLS is not required', function() {
@@ -273,7 +309,8 @@ describe('Bitgo Express', function() {
 
       const args = {
         env: 'prod',
-        disablessl: true
+        disablessl: true,
+        disableenvcheck: true
       };
 
       expressApp(args);