R shinylive: Who can view the app?

posit-dev / shinylive

Run Shiny on Python and R (compiled to wasm) in the browser

https://shinylive.io/py/examples/

MIT License

194 stars 15 forks source link

R shinylive: Who can view the app? #109

Open dmresearch15 opened 7 months ago

dmresearch15 commented 7 months ago

When utilising shinylive.io/r to develop an app, the question arises: "Who has access to view the app?" After generating the application URL, it is disseminated exclusively to a chosen group of users. Can it be guaranteed that only these specifically selected individuals have the ability to view the app?

gadenbuie commented 7 months ago

Hi @dmresearch15! The short answer to your question is no, it's not possible to restrict access to an app created on https://shinylive.io/r -- anybody who has the link can access the app. We don't have a registry of apps, so your link won't be publicly published or even revealed to us, just the people you share it with.

https://shinylive.io encodes the entire app bundle in the app's URL. For example, in this link to the timer demo app, which looks like https://shinylive.io/r/editor/#code=NobwRAdg...., the random letters and numbers after #code= encode the app's code. Clearly it would take someone a bit of work to decode the app, which is what shinylive.io does when you load that link, but it's obfuscated for a convenient URL and not encrypted.

dmresearch15 commented 7 months ago

Hello, appreciate your prompt reply. The information provided is indeed helpful. However, I require further clarification. My aim is to share confidential information selectively with a specific user group. To achieve this, I plan to place the application URL on our organisation's intranet, secured with a password. This will restrict access to the chosen group of users. In the event that certain individuals within this group opt to decode the app, it's acceptable. The key point is to ensure that no one outside this designated group gains access to the URL or the application. Eagerly awaiting your response.

toxintoxin commented 7 months ago

Hello, appreciate your prompt reply. The information provided is indeed helpful. However, I require further clarification. My aim is to share confidential information selectively with a specific user group. To achieve this, I plan to place the application URL on our organisation's intranet, secured with a password. This will restrict access to the chosen group of users. In the event that certain individuals within this group opt to decode the app, it's acceptable. The key point is to ensure that no one outside this designated group gains access to the URL or the application. Eagerly awaiting your response.

package shinymanager or shinyauthr might help (need remote database to protect credentials), you can try.
I haven't deployed my app successfully via shinylive yet :(
So I can't tell you the answer, sorry

gadenbuie commented 7 months ago

To clarify: anyone with the shinylive.io URL can access and see the source code of the application you're sharing. Do not put credentials in your app's source code. Do not expect a URL you've shared with others to be kept private.

We (Posit, the maintainers of https://shinylive.io) do not track or store the URLs for applications created with shinylive.io. That said, you should consider a generated URL from shinylive.io to be semi-public and should take appropriate precautions.

For internal use, you can use the shinylive R package to create a standalone static webpage with your application that you could host internally on your intranet.