search

nuxt-community / electron-template

Electron starter with nuxt.js
MIT License
251 stars 31 forks source link

do not open port in production #14

Closed alidcast closed 6 years ago

alidcast commented 6 years ago

Stumbled upon this article on how the Zeit team integrated Nex with Electron: https://leo.im/2017/electron-next

One consideration they mention is not to open a port in production due to security vulnerabilities:

The reason why electron-next doesn't have the same behaviour in the final app as in development is that opening a port (like Next.js does it for providing hot reloading and auto-building of your code) is generally not a good idea because it introduces a security vulnerability on the user's device.

It's therefore safe for development, but not for production.

What's much safer, however, is letting the BrowserWindow instances directly access the static files of your renderer. This is made possible by next export, a new sub command that we've introduced with Next.js 3

I'm guessing next export is equivalent to running nuxt in --spa mode. So perhaps similar considerations can be applied to this template

cc @Atinux

This question is available on Nuxt.js community (#c4)
atinux commented 6 years ago

Hi @alidcastano

Actually next export is the equivalent of nuxt generate, but I believe server-side rendering is pretty useless in an Electron app, and by forcing the mode: spa, it will allow to avoid opening a port in production by serving the dist/ folder :)

yuchonghua commented 6 years ago

[https://github.com/nuxt-community/electron-template/issues/19](Use registerStreamProtocol and nuxt.render)

git clone https://github.com/ddvjs/electron-test.git
cd electron-test
npm i
npm run dev
HadiChen commented 6 years ago

I do not want to use nuxt generate, because it is very troublesome, I hope to use registerStreamProtocol and nuxt.render

yuchonghua commented 6 years ago

image Can you simulate it like this?

yuchonghua commented 6 years ago

I want to use nuxt.render to render registerStreamProtocol /ping @Atinux

yuchonghua commented 6 years ago

Is there a solution to this approach?

HoraceKeung commented 6 years ago

Submitted a PR to serve /dist/electron for production hence no need to open port. https://github.com/nuxt-community/electron-template/pull/20 I know it is not using registerStreamProtocol, I don't have enough knowledge to figure it out, but this should be better than opening a port in production.

HoraceKeung commented 6 years ago

I closed the pull request as I found out the paths to the images do not work in production, either in /assets/img or /static/img.