Reactjs Question posted in
The new location for the React Documentation can be found here.

Reactjs – Hide Secret API Key in electron app while using mongodb

I am currently looking into creating an electron application using next js, monogodb and realm.

After looking through the mongodb documentation i came accross the integration guide "Quick start with electron using react". I found this guide to be very informative but I am trying to understand if the company made an oversight when creating this guide.

guide: https://www.mongodb.com/docs/realm/sdk/node/integrations/electron-cra/#std-label-node-electron-cra-client-quick-start

The guide has this boiler code which enables you to write to the realm.

const app = new Realm.App({ id: "<Your App ID>" }); // create a new instance of the Realm.App
async function run() {
  // login with an anonymous credential
  await app.logIn(Realm.Credentials.anonymous());
  const DogSchema = {
      name: "Dog",
      properties: {
        _id: 'int',
        name: "string",
        age: "int",
      },
      primaryKey: '_id'
  };
  const realm = await Realm.open({
    schema: [DogSchema],
    sync: {
      user: app.currentUser,
      partitionValue: "myPartition",
    },
  });
  // The myPartition realm is now synced to the device. You can
  // access it through the `realm` object returned by `Realm.open()`
  // write to the realm
}
run().catch(err => {
  console.error("Failed to open realm:", err)
});

To write to the realm you need to put your app id into the code (as shown above) which makes sense. The thing that doesn’t make sense is if this is a electron application couldn’t someone just find this id and then be able to write and delete from your realm. Is this an oversight or does mongodb want the user to figure out how to secretly store that app id themselves.

Since its a guide that specifically talks about electron I would think they would take security into account and put that into the guide.

I maybe completely off base with this question, but I just want to understand if it is even possible to secretly store your app id / api key in an electron app. If its not possible without using another api to fetch the key on start then is this really an oversight? or can that id be kept has plain text and still have the app be secure.

I understand that firebase and amplify also have this problem when working with electron. I figured since mongodb has a guide that directly references electron they would have found an easy fix to this problem.

Tags:

2

Answers


  1. 0

    You can use safeStorage API to store your app id on disk and prevent it from being accessed by other users.

    Login or Signup to reply.
  2. 0

    To me the article outlines code purely for learning purpose , because in production anonymous login is never enabled.

    In applications such sensitive data are never part of the source code instead they are loaded in memory at runtime . This can be a good starting point for you Best practices to store sensitive information in Electron desktop application

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search