search

oskar-gmerek / surreal-sveltekit

A Starter Kit with SurrealDB and Svelte [ SvelteKit ], featuring Authentication and CRUD Operations + Realtime
MIT License
60 stars 3 forks source link

env variable in realtime can't not show in client side #8

Closed tymon3568 closed 1 month ago

tymon3568 commented 2 months ago

If using realtime, when on the clientside, will the token, user, password, database url be exposed?

const posts = createStore('my_posts', data.my_posts);

    $: $posts;
    observeLive('post', posts);
oskar-gmerek commented 2 months ago

@tymon3568

User authorization token and database url will be exposed as those are needed to establish websocket connection, and this is the same like in any other software configuration where the client is establishing connection with websocket server.

User password will be not exposed. The only place where is it exposed is the login form, and there is exposed user input for password field (not user password in the technical point of view)

There is no known security issues if you ask about it. But of course there may be security improvements like for example: implementation of the token rotation system. But this is out of scope of this project.