#Where is the source code of the frontend/webapp?

In Electron, the source code of the app is in an .asar-file, that is little more than a zip and can be readily extracted.

How about Tauri? Where is the source code? Compiled into the .exe? Is it secure? If I put credentials in there (against better judgement...), are they safe?

You can never distribute credentials in an app, no matter what system you use. Like it's not just against your better judgment, it's just not something that's ever possible in any app framework

And yes the frontend is bundled into the binary

Binaries are hard to read, but not impossible, if you bake any kind of secret into a binary (or literally any format ever that the user is capable of accessing in any way shape or form) you have to assume it's no longer secure

Appreciate the feedback! It's really not something I'm keen on doing, and it's only for a (closed) beta. Still not perfect, but I don't think it is too much of a threat, basically just don't want some bored tester sifting through plain text .js files.

It's better to learn how to properly implement a secure credential API/system then it is to find out if it's secure or not to bake credentials into the app itself

If it's a closed beta consider having an invite code system, it's easy enough to implement an API for it. And it removes the risk (if done properly) for a user to access something they shouldn't

Well it's not a .txt file at least so if your closed beta is extremely closed (close friends for example) then it's ok I guess, but if your closed beta includes a single stranger, assume that stranger will try to hack it

So you definitely need to:

1. Ensure that whatever secret it is you're baking into your app can't cause major mayhem on your system (e.g. a Github PAT, because then you can expect all your repos to be deleted by tomorrow)
2. When your closed beta is over you seriously, seriously need to switch how you do it. Because I'm not kidding, if you're even a basic hacker, reading the file you're baking into the binary is essentially the same thing as you putting it as a plain .txt file (speaking from experience)

Again, I appreciate your concerns -- and I share them. Baked in APIs will NOT see the light of production and the beta is closed off. The credentials are for signing a JWOT that gives a few database privileges on a throwaway development server setup for the beta.

The baked-in credentials aren't even the main reason for this question, the status/location of the source code is actually important for simple protection of IP reasons.

Yea but that's the thing though, your IP isn't any more protected in Tauri just because it's in the binary, that's what I'm trying to tell you 😛

If you send the binary to someone and they decide they wanna know your entire source code they can just decompile it

Well, not the entire thing ofc due to conditional compilation, but there's basically no secrets in what you distribute. Protecting your IP happens by not distributing it

I guess I never really thought about the cost of a domain for hosting an API on.. but if you do get a domain, cloudflare and many others can "hide" your IP behind their proxy for http. That changes if you use a raw tcp/UDP service though.

IP = Intellectual Property in this context 😉

Ahh. Makes sense. I mean the actual source code of the frontend isn't really hard to get from a binary. Sure, it's probably obfuscated but js obfuscation is such a joke, it's pretty easy to decipher. On the other hand, the actual rust code source code is basically completely indecipherable unless you have lots and lots of time

You don't get the original Rust source code back ofc, in no small part because of conditional compilation, but you can't prevent a decompiler from getting the assembly instructions, which in turn can be pieced together into source code that generates that assembly code

That however is only relevant for the actual binary code you make, the Rust code, the frontends code as you say is far easier to extract in its entirety