Skip to content

feat: document secret handling in dioxus fullstack #496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: document secret handling in dioxus fullstack #496

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 10 additions & 9 deletions docs-src/0.6/src/SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,11 +58,12 @@
- [Fullstack](guides/fullstack/index.md)
- [Hydration](guides/fullstack/hydration.md)
- [Managing Dependencies](guides/fullstack/managing_dependencies.md)
- [Server Functions](guides/fullstack/server_functions.md)
- [Extractors](guides/fullstack/extractors.md)
- [Middleware](guides/fullstack/middleware.md)
- [Authentication](guides/fullstack/authentication.md)
- [Routing](guides/fullstack/routing.md)
- [Server Functions](guides/fullstack/server_functions.md)
- [Extractors](guides/fullstack/extractors.md)
- [Middleware](guides/fullstack/middleware.md)
- [Authentication](guides/fullstack/authentication.md)
- [Routing](guides/fullstack/routing.md)
- [Secrets](guides/fullstack/secrets.md)
- [Static Site Generation](guides/fullstack/static_site_generation.md)
- [Publishing](cookbook/publishing.md)
- [Anti-patterns](cookbook/antipatterns.md)
Expand Down Expand Up @@ -101,14 +102,14 @@

---
- [CLI](CLI/index.md)
- [Create a Project](CLI/creating.md)
- [Configure Project](CLI/configure.md)
- [Create a Project](CLI/creating.md)
- [Configure Project](CLI/configure.md)
- [Translate HTML](CLI/translate.md)

<!-- - [Static Generation](router/reference/static-generation.md) -->
<!-- - [CLI in Depth](router/reference/cli-in-depth.md)
- [SDK](router/reference/sdk.md)
- [Fullstack and the server](router/reference/fullstack-and-the-server.md) -->
- [SDK](router/reference/sdk.md)
- [Fullstack and the server](router/reference/fullstack-and-the-server.md) -->

<!-- - [Walkthrough of Internals](contributing/walkthrough_readme.md) -->
<!-- Empty file. TODO: Uncomment when the file is finished. - [Governance](contributing/governance.md) -->
Expand Down
70 changes: 70 additions & 0 deletions docs-src/0.6/src/guides/fullstack/secrets.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# Managing Secrets

In Dioxus fullstack applications, there are two types of secrets:

1. **Server-side secrets**: These are sensitive values like database credentials or API keys that should never be exposed to the client.

1. **Client-side secrets**: These are values needed by the client application at compile time, such as API keys.

## Server-Side Secrets

Server-side secrets are intended to remain confidential and are only accessible within the server environment. To manage these secrets:

1. **Create a `.env` file**: At the root of your Dioxus project, create a `.env` file to store your server-side secrets. For example:

```sh
MONGODB_DB_NAME=your_database_name
```

1. **Load the `.env` file in your server entry point**: Use the [`dotenv`](https://docs.rs/dotenv) crate to load the environment variables. In your `main` entry point:

```rust
use dotenv::dotenv;
Copy link
Member

@ealmloff ealmloff May 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dotenv isn't maintained anymore. Can we use std::env::var directly or an alternative library?

Copy link
Author

@wiseaidev wiseaidev May 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! But at least it works with the latest rustc version, which is somewhat surprising since it has been abandoned for a very long time. I will update the docs to mention alternatives for loading all environment variables at once using a different crate.

use std::env;

#[cfg(not(feature = "web"))]
#[tokio::main]
async fn main() {
dotenv().ok();

// Access your environment variables
let db_name = env::var("MONGODB_DB_NAME").expect("MONGODB_DB_NAME must be set.");
// Initialize your server with the db_name or other configurations
}
```

This approach ensures that sensitive information is not hardcoded and can be managed securely outside of your source code.

## Client-Side Secrets

Client-side secrets are values that need to be embedded into the client application at compile time. Since browsers do not have access to environment variables at runtime, these values must be provided during the build process.

1. **Set environment variables during the build**: When building your client application, pass the necessary environment variables. For example:

```bash
STRIPE_PRICE_ID=price_12345 dx build --release
```

1. **Access the variables in your client code**: Use the [`env!`](https://doc.rust-lang.org/std/macro.env.html) macro to embed the environment variable values into your code at compile time:

```rust
#[component]
fn App() -> Element {
let price_id = env!("STRIPE_PRICE_ID");

rsx!{
}
}
```

This method ensures that the required values are available in the client application without exposing sensitive information at runtime.
Copy link
Member

@ealmloff ealmloff May 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To me this reads like you can sometimes include API keys on the client side which is true, but only if you have some other way to protect the API. You either need to restrict the API key in some other way or expose the functionality through your server with something like a server function. You should never include a normal API key on the client side at compile time. Some APIs, like Google Maps let you restrict an API to a specific domain: https://developers.google.com/maps/documentation/javascript/get-api-key#restrict_key

Copy link
Author

@wiseaidev wiseaidev May 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deal! Will mention this


## Important Considerations

- **Security**: Never expose sensitive server-side secrets to the client. Only include non-sensitive information in client-side environment variables.

- **Compile-Time Availability**: Ensure that all necessary environment variables are set during the build process to avoid compilation errors.

- **Consistency**: Maintain a clear distinction between server-side and client-side secrets to prevent accidental exposure of sensitive information.

By following these practices, you can manage secrets effectively in your Dioxus fullstack application, maintaining both security and functionality.
1 change: 1 addition & 0 deletions docs-src/0.6/src/guides/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,6 @@ These guides contains more detailed explanations for some concepts covered in th
- [`Middleware`](fullstack/middleware.md) Middleware allows you to wrap a server function request or response
- [`Authentication`](fullstack/authentication.md) An overview of how to handle authentication with server functions
- [`Routing`](fullstack/routing.md) An overview of how to work with the router in the fullstack renderer
- [`Secrets`](fullstack/secrets.md) A guide on managing client-side and server-side secrets in Dioxus fullstack apps
- [`SSR`](ssr.md) Overview of the SSR renderer