The secret vars need to be somewhere (.env, app.config.js, etc) for availability in the local dev environment. This vars is plain text and is sent to the EAS server, isn’t that a security issue? I read the doc but it seems strange to me. Thanks!
can you elaborate on what you are using secrets for? i think you may be misunderstanding what secrets on eas build are for – you should not be using any secrets inside of your application code. secrets on eas build are intended for things like your sentry api key, which is used during the build process to upload your sourcemaps but not included in your application code. you may find this doc to be useful Security · React Native
Sorry for the delay…
If I have a value in eas.json
but not in app.config.js
, that value is not accessible when I run expo start --dev-client
. eg without my Google API key in app.config.js
, login/subscribe with Google doesn’t work when I run expo start --dev-client
, it just works on a production/internal build.
Currently I use a .env
file which is loaded in app.config.js
and eas.json
, when I send it to EAS
my secrets can be seen as plan text in the Read app config
step, this is my confusion point, is this behavior expected?
Those values can be accessed by anyone if they download apk or ipa from the store and unzip it. It is not expo/react-native issue, any secrets in client-side code can be accessed if someone is determined enough.
If you don’t want to keep those values in your repo you can keep using eas secrets for that, but this is not why this feature exists. The main use case for it is to pass secrets that are not part of the build, like brent mentioned above e.g. sentry keys, ssh keys, gitcrypt key , keys for private npm registries
This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.