env variable in realtime can't not show in client side
Closed this issue · 1 comments
If using realtime, when on the clientside, will the token, user, password, database url be exposed?
const posts = createStore('my_posts', data.my_posts);
$: $posts;
observeLive('post', posts);
User authorization token and database url will be exposed as those are needed to establish websocket connection, and this is the same like in any other software configuration where the client is establishing connection with websocket server.
User password will be not exposed. The only place where is it exposed is the login form, and there is exposed user input for password field (not user password in the technical point of view)
There is no known security issues if you ask about it. But of course there may be security improvements like for example: implementation of the token rotation system. But this is out of scope of this project.