Giter Site home page Giter Site logo

Comments (4)

sanneh2 avatar sanneh2 commented on July 22, 2024

This is part of the clientside bundle and therefore cannot be hidden from the client. React is responsible for this behavior. The client ID is ok to be seen in the public. You have to keep the SECRET_KEY secret. This is usually used on the server side. In this case inside the "main.js" process it will be hidden.

// main.js
const GOOGLE_SECRET = process.env.GOOGLE_SECRET

from electron-react-boilerplate.

Thesiva7 avatar Thesiva7 commented on July 22, 2024

This is part of the clientside bundle and therefore cannot be hidden from the client. React is responsible for this behavior. The client ID is ok to be seen in the public. You have to keep the SECRET_KEY secret. This is usually used on the server side. In this case inside the "main.js" process it will be hidden.

// main.js
const GOOGLE_SECRET = process.env.GOOGLE_SECRET

Hi @sanneh2 ,
But in main.js also env variables visibling directly. I don't know how to hide the env variables from .env file in production application.

Please look below images of production main.js, i have marked encryptedkey field which have value from .env file

mainJS

store

from electron-react-boilerplate.

sanneh2 avatar sanneh2 commented on July 22, 2024

This is a security question.

The best and most reliable thing is authentication and servers. So for example, if your users are logging in to your app, you could share secrets over a secure connection,

Unpackaging will always expose the entire code to the hacker. You can obfuscate it, encrypt it, or compile it with v8 bytecode which I heard works great.

But security with an external server will always be the safest bet, because you can move the secrets and confidential information to a remote location outside of your app.

from electron-react-boilerplate.

jooohhn avatar jooohhn commented on July 22, 2024

Hey @Thesiva7

What @sanneh2 said on security is correct, you shouldn't keep secrets on the client. electron-store also advises that encryptionKey is not intended for security purposes, only obfuscation.

I'm not sure what your what your app's codebase looks like, but maybe Google's OAuth javascript
or server docs might help

from electron-react-boilerplate.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.